guardskills 1.0.0 → 1.2.0

package/dist/cli.js

@@ -176,9 +176,13 @@ function enforceSourcePolicy(repoInput, policy) {
 
 // src/install/skills.ts
 import { execa } from "execa";
-async function runSkillsInstall(repo, skill) {
+async function runProviderInstall(provider, repo, skill) {
+  if (provider === "playbooks" && !skill) {
+    return 30;
+  }
+  const args = provider === "skills" ? skill ? ["skills", "add", repo, "--skill", skill] : ["skills", "add", repo] : provider === "playbooks" ? ["playbooks", "add", "skill", repo, "--skill", skill] : provider === "skillkit" ? skill ? ["skillkit", "install", repo, "--skill", skill] : ["skillkit", "install", repo] : skill ? ["openskills", "install", repo, skill] : ["openskills", "install", repo];
   try {
-    await execa("npx", ["skills", "add", repo, "--skill", skill], {
+    await execa("npx", args, {
       stdio: "inherit"
     });
     return 0;
@@ -284,6 +288,73 @@ function printHumanLocalReport(report) {
 function printJsonLocalReport(report) {
   console.log(JSON.stringify(report, null, 2));
 }
+function printHumanClawHubReport(report) {
+  console.log(`Command: ${report.command}`);
+  console.log(`Identifier: ${report.identifier}`);
+  console.log(`Registry: ${report.registry}`);
+  console.log(`Mapped Repo: ${report.repo}`);
+  console.log(`Skill: ${report.skill}`);
+  if (report.version) {
+    console.log(`Version: ${report.version}`);
+  }
+  console.log(`Mode: ${report.strict ? "strict" : "standard"}`);
+  if (report.configPath) {
+    console.log(`Config: ${report.configPath}`);
+  }
+  if (report.skillDir) {
+    console.log(`Skill Dir: ${report.skillDir}`);
+  }
+  if (report.commitSha) {
+    console.log(`Commit: ${report.commitSha}`);
+  }
+  if (report.moderation) {
+    const parts = [];
+    if (report.moderation.isSuspicious) {
+      parts.push("suspicious");
+    }
+    if (report.moderation.isMalwareBlocked) {
+      parts.push("malware-blocked");
+    }
+    if (report.moderation.isRemoved) {
+      parts.push("removed");
+    }
+    if (parts.length > 0) {
+      console.log(`ClawHub Moderation: ${parts.join(", ")}`);
+    }
+  }
+  console.log(`Files Scanned: ${report.scanFiles.length}`);
+  if (report.decision.riskScore === null) {
+    console.log("Result: UNVERIFIABLE");
+  } else {
+    console.log(`Risk Score: ${report.decision.riskScore.toFixed(1)}/100`);
+    console.log(`Decision: ${report.decision.level}`);
+  }
+  if (report.unverifiableReasons && report.unverifiableReasons.length > 0) {
+    console.log("Unverifiable Reasons:");
+    for (const reason of report.unverifiableReasons) {
+      console.log(`- ${reason}`);
+    }
+  }
+  if (report.decision.chainMatches.length > 0) {
+    console.log("Attack Chains:");
+    for (const chain of report.decision.chainMatches) {
+      console.log(`- ${chain.id} (+${chain.bonus}): ${chain.description}`);
+    }
+  }
+  if (report.decision.findings.length > 0) {
+    console.log("Findings:");
+    for (const finding of report.decision.findings.slice(0, 10)) {
+      const fileText = finding.file ? ` (${finding.file})` : "";
+      console.log(`- [${finding.severity}/${finding.confidence}] ${finding.title}${fileText}`);
+    }
+  } else {
+    console.log("Findings: none");
+  }
+  console.log(`Note: ${report.note}`);
+}
+function printJsonClawHubReport(report) {
+  console.log(JSON.stringify(report, null, 2));
+}
 
 // src/resolver/github.ts
 import path2 from "path";
@@ -976,6 +1047,22 @@ var cliAddOptionsSchema = z2.object({
   maxAuxFiles: z2.coerce.number().int().min(1).max(200).optional(),
   maxTotalFiles: z2.coerce.number().int().min(1).max(400).optional()
 });
+var cliBulkAddOptionsSchema = z2.object({
+  config: z2.string().optional(),
+  strict: z2.boolean().optional(),
+  ci: z2.boolean().optional(),
+  json: z2.boolean().optional(),
+  yes: z2.boolean().optional(),
+  dryRun: z2.boolean().optional(),
+  force: z2.boolean().optional(),
+  allowUnverifiable: z2.boolean().optional(),
+  githubTimeoutMs: z2.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: z2.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: z2.coerce.number().int().min(50).max(5e3).optional(),
+  maxFileBytes: z2.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: z2.coerce.number().int().min(1).max(200).optional(),
+  maxTotalFiles: z2.coerce.number().int().min(1).max(400).optional()
+});
 var effectiveAddOptionsSchema = z2.object({
   skill: z2.string().min(1),
   strict: z2.boolean(),
@@ -1095,9 +1182,11 @@ function evaluateGate(level, options) {
     gateNote: level === "WARNING" ? "WARNING accepted via --yes." : "SAFE to proceed."
   };
 }
-async function runAddCommand(repo, rawOptions) {
+async function runAddCommand(repo, rawOptions, context = {}) {
   const cliOptions = cliAddOptionsSchema.parse(rawOptions);
   const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const provider = context.provider ?? "skills";
+  const commandName = context.commandName ?? "guardskills add";
   const options = resolveEffectiveAddOptions(cliOptions, loadedConfig.config);
   enforceSourcePolicy(repo, loadedConfig.config.policy);
   enforceOptionPolicy(options, loadedConfig.config);
@@ -1118,7 +1207,7 @@ async function runAddCommand(repo, rawOptions) {
   const gate = evaluateGate(decision.level, options);
   const configNote = loadedConfig.path ? ` Config: ${loadedConfig.path}` : "";
   const report = {
-    command: "guardskills add",
+    command: commandName,
     repo,
     skill: options.skill,
     strict: options.strict,
@@ -1143,12 +1232,14 @@ async function runAddCommand(repo, rawOptions) {
   if (options.dryRun || options.ci) {
     return 0;
   }
-  return runSkillsInstall(repo, options.skill);
+  return runProviderInstall(provider, repo, options.skill);
 }
 
-// src/commands/scan-local.ts
+// src/commands/openskills-install.ts
 import fs2 from "fs";
+import os from "os";
 import path4 from "path";
+import { execa as execa2 } from "execa";
 import { z as z3 } from "zod";
 var ALLOWED_TEXT_EXTENSIONS2 = /* @__PURE__ */ new Set([
   ".md",
@@ -1170,68 +1261,82 @@ var ALLOWED_TEXT_EXTENSIONS2 = /* @__PURE__ */ new Set([
   ".cfg"
 ]);
 var SKIP_DIRS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".turbo"]);
-var cliScanLocalOptionsSchema = z3.object({
+var cliOpenSkillsOptionsSchema = z3.object({
   config: z3.string().optional(),
   strict: z3.boolean().optional(),
+  ci: z3.boolean().optional(),
   json: z3.boolean().optional(),
-  skill: z3.string().min(1).optional(),
+  yes: z3.boolean().optional(),
+  dryRun: z3.boolean().optional(),
+  force: z3.boolean().optional(),
+  allowUnverifiable: z3.boolean().optional(),
+  githubTimeoutMs: z3.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: z3.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: z3.coerce.number().int().min(50).max(5e3).optional(),
   maxFileBytes: z3.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: z3.coerce.number().int().min(1).max(200).optional(),
   maxTotalFiles: z3.coerce.number().int().min(1).max(400).optional()
 });
-var effectiveScanLocalOptionsSchema = z3.object({
-  strict: z3.boolean(),
-  json: z3.boolean(),
-  skill: z3.string().min(1).optional(),
-  maxFileBytes: z3.number().int().min(4096).max(5e6),
-  maxTotalFiles: z3.number().int().min(1).max(400)
-});
 var DEFAULT_OPTIONS2 = {
   strict: false,
+  ci: false,
   json: false,
-  skill: void 0,
+  yes: false,
+  dryRun: false,
+  force: false,
+  allowUnverifiable: false,
+  githubTimeoutMs: 15e3,
+  githubRetries: 2,
+  githubRetryBaseMs: 300,
   maxFileBytes: 25e4,
+  maxAuxFiles: 40,
   maxTotalFiles: 120
 };
-function toPosixPath(filePath) {
-  return filePath.replace(/\\/g, "/");
+function resolveEffectiveOptions(cliOptions, config) {
+  const defaults = config.defaults ?? {};
+  const resolver = config.resolver ?? {};
+  return {
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS2.strict,
+    ci: cliOptions.ci ?? defaults.ci ?? DEFAULT_OPTIONS2.ci,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS2.json,
+    yes: cliOptions.yes ?? defaults.yes ?? DEFAULT_OPTIONS2.yes,
+    dryRun: cliOptions.dryRun ?? defaults.dryRun ?? DEFAULT_OPTIONS2.dryRun,
+    force: cliOptions.force ?? defaults.force ?? DEFAULT_OPTIONS2.force,
+    allowUnverifiable: cliOptions.allowUnverifiable ?? defaults.allowUnverifiable ?? DEFAULT_OPTIONS2.allowUnverifiable,
+    githubTimeoutMs: cliOptions.githubTimeoutMs ?? resolver.githubTimeoutMs ?? DEFAULT_OPTIONS2.githubTimeoutMs,
+    githubRetries: cliOptions.githubRetries ?? resolver.githubRetries ?? DEFAULT_OPTIONS2.githubRetries,
+    githubRetryBaseMs: cliOptions.githubRetryBaseMs ?? resolver.githubRetryBaseMs ?? DEFAULT_OPTIONS2.githubRetryBaseMs,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS2.maxFileBytes,
+    maxAuxFiles: cliOptions.maxAuxFiles ?? resolver.maxAuxFiles ?? DEFAULT_OPTIONS2.maxAuxFiles,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS2.maxTotalFiles
+  };
 }
-function getNearbyPathSuggestions(targetPath) {
-  const parent = path4.dirname(targetPath);
-  if (!fs2.existsSync(parent)) {
-    return [];
+function enforceOptionPolicy2(options, config) {
+  const policy = config.policy;
+  if (!policy) {
+    return;
   }
-  const needle = path4.basename(targetPath).toLowerCase();
-  const suggestions = [];
-  for (const entry of fs2.readdirSync(parent, { withFileTypes: true })) {
-    if (entry.name.toLowerCase().includes(needle)) {
-      suggestions.push(path4.join(parent, entry.name));
-    }
+  if (options.force && policy.allowForce === false) {
+    throw new GuardSkillsError(
+      "POLICY_VIOLATION",
+      "Policy blocks --force overrides (allowForce=false)."
+    );
   }
-  return suggestions.slice(0, 5);
-}
-function isSkillFile(filePath) {
-  return path4.basename(filePath).toLowerCase() === "skill.md";
-}
-function isScannableTextFile(filePath) {
-  if (isSkillFile(filePath)) {
-    return true;
+  if (options.allowUnverifiable && policy.allowUnverifiableOverride === false) {
+    throw new GuardSkillsError(
+      "POLICY_VIOLATION",
+      "Policy blocks --allow-unverifiable overrides (allowUnverifiableOverride=false)."
+    );
   }
-  const ext = path4.extname(filePath).toLowerCase();
-  return ALLOWED_TEXT_EXTENSIONS2.has(ext);
 }
 function findSkillDirs(rootDir) {
   const found = /* @__PURE__ */ new Set();
   const stack = [{ dir: rootDir, depth: 0 }];
-  let seen = 0;
   while (stack.length > 0) {
     const current = stack.pop();
     if (!current) {
       continue;
     }
-    seen += 1;
-    if (seen > 5e3) {
-      break;
-    }
     const skillFile = path4.join(current.dir, "SKILL.md");
     if (fs2.existsSync(skillFile) && fs2.statSync(skillFile).isFile()) {
       found.add(current.dir);
@@ -1258,82 +1363,6 @@ function findSkillDirs(rootDir) {
   }
   return [...found].sort();
 }
-function formatCandidates(candidates) {
-  return candidates.map((candidate) => `- ${toPosixPath(candidate)}`).join("\n");
-}
-function resolveSkillDirectory(inputPath, preferredSkillName) {
-  const absoluteInput = path4.resolve(inputPath);
-  if (!fs2.existsSync(absoluteInput)) {
-    const suggestions = getNearbyPathSuggestions(absoluteInput);
-    const suggestionText = suggestions.length > 0 ? `
-Nearby paths:
-${formatCandidates(suggestions)}` : "";
-    throw new GuardSkillsError(
-      "INVALID_LOCAL_PATH",
-      `Local path not found: ${toPosixPath(absoluteInput)}${suggestionText}`
-    );
-  }
-  const stat = fs2.statSync(absoluteInput);
-  if (stat.isFile()) {
-    if (!isSkillFile(absoluteInput)) {
-      throw new GuardSkillsError(
-        "INVALID_LOCAL_PATH",
-        "Local scan expects a directory or a SKILL.md file path."
-      );
-    }
-    return {
-      skillDir: path4.dirname(absoluteInput),
-      note: "Using parent directory of provided SKILL.md file."
-    };
-  }
-  const directSkillFile = path4.join(absoluteInput, "SKILL.md");
-  if (fs2.existsSync(directSkillFile) && fs2.statSync(directSkillFile).isFile()) {
-    return { skillDir: absoluteInput };
-  }
-  const discovered = findSkillDirs(absoluteInput);
-  if (discovered.length === 0) {
-    throw new GuardSkillsError(
-      "INVALID_LOCAL_PATH",
-      `No SKILL.md found under: ${toPosixPath(absoluteInput)}`
-    );
-  }
-  if (preferredSkillName) {
-    const matches = discovered.filter(
-      (directory) => path4.basename(directory).toLowerCase() === preferredSkillName.toLowerCase()
-    );
-    if (matches.length === 1) {
-      const selected = matches[0];
-      if (!selected) {
-        throw new GuardSkillsError("INVALID_LOCAL_PATH", "Unable to resolve selected local skill.");
-      }
-      return {
-        skillDir: selected,
-        note: `Auto-selected skill '${preferredSkillName}' under the provided path.`
-      };
-    }
-    const available = discovered.map((directory) => path4.basename(directory));
-    throw new GuardSkillsError(
-      "INVALID_LOCAL_PATH",
-      `Requested --skill '${preferredSkillName}' was not found.
-Available skills: ${available.join(", ")}`
-    );
-  }
-  if (discovered.length === 1) {
-    const selected = discovered[0];
-    if (!selected) {
-      throw new GuardSkillsError("INVALID_LOCAL_PATH", "Unable to resolve discovered local skill.");
-    }
-    return {
-      skillDir: selected,
-      note: "Auto-selected the only SKILL.md found under the provided path."
-    };
-  }
-  throw new GuardSkillsError(
-    "INVALID_LOCAL_PATH",
-    `Multiple skills found under path. Provide --skill <name>.
-${formatCandidates(discovered)}`
-  );
-}
 function collectLocalFiles(skillDir, options) {
   const files = [];
   const unverifiableReasons = [];
@@ -1347,7 +1376,7 @@ function collectLocalFiles(skillDir, options) {
     try {
       entries = fs2.readdirSync(currentDir, { withFileTypes: true });
     } catch {
-      unverifiableReasons.push(`Cannot read directory: ${toPosixPath(currentDir)}`);
+      unverifiableReasons.push(`Cannot read directory: ${currentDir}`);
       continue;
     }
     for (const entry of entries) {
@@ -1361,8 +1390,10 @@ function collectLocalFiles(skillDir, options) {
       if (!entry.isFile()) {
         continue;
       }
-      const relativePath = toPosixPath(path4.relative(skillDir, fullPath));
-      if (!isScannableTextFile(relativePath)) {
+      const relativePath = path4.relative(skillDir, fullPath).replace(/\\/g, "/");
+      const ext = path4.extname(relativePath).toLowerCase();
+      const isSkillFile2 = path4.basename(relativePath).toLowerCase() === "skill.md";
+      if (!isSkillFile2 && !ALLOWED_TEXT_EXTENSIONS2.has(ext)) {
         continue;
       }
       if (files.length >= options.maxTotalFiles) {
@@ -1396,86 +1427,1233 @@ function collectLocalFiles(skillDir, options) {
   }
   return { files, unverifiableReasons };
 }
-function resolveEffectiveScanLocalOptions(cliOptions, config) {
-  const defaults = config.defaults ?? {};
-  const resolver = config.resolver ?? {};
-  return effectiveScanLocalOptionsSchema.parse({
-    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS2.strict,
-    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS2.json,
-    skill: cliOptions.skill ?? DEFAULT_OPTIONS2.skill,
-    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS2.maxFileBytes,
-    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS2.maxTotalFiles
-  });
-}
-async function runScanLocalCommand(inputPath, rawOptions) {
-  const cliOptions = cliScanLocalOptionsSchema.parse(rawOptions);
-  const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
-  const options = resolveEffectiveScanLocalOptions(cliOptions, loadedConfig.config);
-  const target = resolveSkillDirectory(inputPath, options.skill);
-  const { files, unverifiableReasons } = collectLocalFiles(target.skillDir, options);
-  if (files.length === 0) {
-    throw new GuardSkillsError(
-      "INVALID_LOCAL_PATH",
-      `No scannable text files found in: ${toPosixPath(target.skillDir)}`
-    );
+function resolveSource(source) {
+  const maybePath = path4.resolve(source);
+  if (fs2.existsSync(maybePath)) {
+    return { kind: "local", path: maybePath };
   }
-  const resolvedSkill = {
-    source: `local:${toPosixPath(target.skillDir)}`,
-    owner: "local",
-    repo: "local",
-    defaultBranch: "local",
-    commitSha: "local",
-    skillName: options.skill ?? path4.basename(target.skillDir),
-    skillDir: toPosixPath(target.skillDir),
-    skillFilePath: "SKILL.md",
-    files,
-    unverifiableReasons
-  };
-  const scan = scanResolvedSkill(resolvedSkill);
-  const decision = calculateRiskScore(scan.findings, {
-    strict: options.strict,
-    trustCredits: 0,
-    hasUnverifiableContent: scan.hasUnverifiableContent
-  });
-  const noteParts = ["Local scan complete."];
-  if (target.note) {
-    noteParts.push(target.note);
+  const shorthand = source.match(/^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/);
+  if (shorthand) {
+    return { kind: "git", cloneUrl: `https://github.com/${shorthand[1]}/${shorthand[2]}.git` };
   }
-  if (decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE") {
-    noteParts.push("Blocked-level risk detected.");
+  try {
+    const parsed = new URL(source);
+    if (parsed.hostname === "github.com" || parsed.hostname === "www.github.com") {
+      return { kind: "git", cloneUrl: source.endsWith(".git") ? source : `${source}.git` };
+    }
+  } catch {
   }
-  if (loadedConfig.path) {
-    noteParts.push(`Config: ${loadedConfig.path}`);
+  return { kind: "git", cloneUrl: source };
+}
+function aggregateLevel(levels) {
+  if (levels.includes("UNVERIFIABLE")) {
+    return "UNVERIFIABLE";
   }
-  const report = {
-    command: "guardskills scan-local",
-    inputPath,
-    strict: options.strict,
-    configPath: loadedConfig.path ?? void 0,
-    decision,
-    scanFiles: resolvedSkill.files.map((file) => file.path),
-    skillDir: resolvedSkill.skillDir,
-    unverifiableReasons: scan.unverifiableReasons,
-    note: noteParts.join(" ")
-  };
-  if (options.json) {
-    printJsonLocalReport(report);
-  } else {
-    printHumanLocalReport(report);
+  if (levels.includes("CRITICAL")) {
+    return "CRITICAL";
   }
-  return decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE" ? 20 : 0;
+  if (levels.includes("UNSAFE")) {
+    return "UNSAFE";
+  }
+  if (levels.includes("WARNING")) {
+    return "WARNING";
+  }
+  return "SAFE";
+}
+async function runInteractiveInstallCommand(provider, source, skillName, rawOptions) {
+  if (provider !== "openskills" && provider !== "skills" && provider !== "skillkit") {
+    throw new GuardSkillsError(
+      "INVALID_OPTIONS",
+      `Interactive install flow is not supported for provider '${provider}'.`
+    );
+  }
+  const cliOptions = cliOpenSkillsOptionsSchema.parse(rawOptions);
+  const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const options = resolveEffectiveOptions(cliOptions, loadedConfig.config);
+  enforceSourcePolicy(source, loadedConfig.config.policy);
+  enforceOptionPolicy2(options, loadedConfig.config);
+  const resolvedSource = resolveSource(source);
+  const tempDir = resolvedSource.kind === "git" ? fs2.mkdtempSync(path4.join(os.tmpdir(), `guardskills-${provider}-`)) : null;
+  const scanRoot = resolvedSource.kind === "git" ? tempDir ?? "" : resolvedSource.path;
+  try {
+    if (resolvedSource.kind === "git") {
+      try {
+        await execa2("git", ["clone", "--depth", "1", resolvedSource.cloneUrl, scanRoot], {
+          timeout: options.githubTimeoutMs
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new GuardSkillsError(
+          "GITHUB_UNKNOWN",
+          `Failed to clone source '${source}' for ${provider} scan: ${message}`,
+          { cause: error }
+        );
+      }
+    }
+    const discovered = findSkillDirs(scanRoot);
+    if (discovered.length === 0) {
+      throw new GuardSkillsError("SKILL_NOT_FOUND", "No SKILL.md files were found in the source.");
+    }
+    const selectedDirs = skillName ? discovered.filter((dir) => path4.basename(dir).toLowerCase() === skillName.toLowerCase()) : discovered;
+    if (selectedDirs.length === 0) {
+      throw new GuardSkillsError(
+        "SKILL_NOT_FOUND",
+        `Skill '${skillName}' was not found. Available: ${discovered.map((dir) => path4.basename(dir)).join(", ")}`
+      );
+    }
+    const levels = [];
+    const summaries = [];
+    for (const skillDir of selectedDirs) {
+      const skill = path4.basename(skillDir);
+      const { files, unverifiableReasons } = collectLocalFiles(skillDir, options);
+      const resolvedSkill = {
+        source: `local:${skillDir}`,
+        owner: "local",
+        repo: "local",
+        defaultBranch: "local",
+        commitSha: "local",
+        skillName: skill,
+        skillDir: skillDir.replace(/\\/g, "/"),
+        skillFilePath: "SKILL.md",
+        files,
+        unverifiableReasons
+      };
+      const scan = scanResolvedSkill(resolvedSkill);
+      const decision = calculateRiskScore(scan.findings, {
+        strict: options.strict,
+        trustCredits: 0,
+        hasUnverifiableContent: scan.hasUnverifiableContent
+      });
+      levels.push(decision.level);
+      summaries.push({ skill, level: decision.level, riskScore: decision.riskScore });
+    }
+    const overall = aggregateLevel(levels);
+    const gate = evaluateGate(overall, { ...options, skill: skillName ?? "ALL_SKILLS" });
+    const label = provider === "openskills" ? "OpenSkills" : provider === "skillkit" ? "skillkit" : "skills.sh";
+    const note = `${gate.gateNote} ${label} flow: ${skillName ? "single skill" : "interactive skill selection"}.`;
+    if (options.json) {
+      console.log(
+        JSON.stringify(
+          {
+            command: `guardskills ${provider} ${provider === "skills" ? "add" : "install"}`,
+            source,
+            skill: skillName ?? null,
+            scannedSkills: summaries.length,
+            overallLevel: overall,
+            skills: summaries,
+            note
+          },
+          null,
+          2
+        )
+      );
+    } else {
+      console.log(`Command: guardskills ${provider} ${provider === "skills" ? "add" : "install"}`);
+      console.log(`Source: ${source}`);
+      console.log(`Selection: ${skillName ?? "interactive (all scanned)"}`);
+      console.log(`Scanned Skills: ${summaries.length}`);
+      console.log(`Decision: ${overall}`);
+      console.log("Per-skill results:");
+      for (const summary of summaries) {
+        const score = summary.riskScore === null ? "n/a" : summary.riskScore.toFixed(1);
+        console.log(`- ${summary.skill}: ${summary.level} (risk ${score})`);
+      }
+      console.log(`Note: ${note}`);
+    }
+    if (!gate.canInstall) {
+      return gate.exitCode;
+    }
+    if (options.dryRun || options.ci) {
+      return 0;
+    }
+    return runProviderInstall(provider, source, skillName);
+  } finally {
+    if (tempDir) {
+      fs2.rmSync(tempDir, { recursive: true, force: true });
+    }
+  }
+}
+
+// src/commands/scan-clawhub.ts
+import { z as z4 } from "zod";
+
+// src/resolver/clawhub.ts
+import path5 from "path";
+import JSZip from "jszip";
+var DEFAULT_REGISTRY_BASE_URL = "https://clawhub.ai";
+var DEFAULT_ARCHIVE_BASE_URL = "https://auth.clawdhub.com";
+var DEFAULT_REQUEST_TIMEOUT_MS2 = 15e3;
+var DEFAULT_MAX_FILE_SIZE_BYTES = 25e4;
+var DEFAULT_MAX_TOTAL_FILES = 120;
+var RETRYABLE_STATUS2 = /* @__PURE__ */ new Set([429, 500, 502, 503, 504]);
+var ALLOWED_TEXT_EXTENSIONS3 = /* @__PURE__ */ new Set([
+  ".md",
+  ".txt",
+  ".sh",
+  ".bash",
+  ".zsh",
+  ".ps1",
+  ".py",
+  ".js",
+  ".ts",
+  ".mjs",
+  ".cjs",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".ini",
+  ".cfg"
+]);
+function normalizeRegistryBaseUrl(input) {
+  const raw = input?.trim() || DEFAULT_REGISTRY_BASE_URL;
+  const withProtocol = /^https?:\/\//i.test(raw) ? raw : `https://${raw}`;
+  const url = new URL(withProtocol);
+  const pathname = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
+  return `${url.origin}${pathname}`;
+}
+function toApiCandidates(registryBaseUrl, identifier) {
+  const encodedIdentifier = encodeURIComponent(identifier);
+  const slugOnly = identifier.split("/").filter(Boolean).at(-1) ?? identifier;
+  const encodedSlug = encodeURIComponent(slugOnly);
+  return [
+    `${registryBaseUrl}/api/v1/package/${encodedIdentifier}`,
+    `${registryBaseUrl}/api/package/${encodedIdentifier}`,
+    `${registryBaseUrl}/api/v1/skills/${encodedSlug}`
+  ];
+}
+function tryParseClawHubUrl(input) {
+  try {
+    const parsed = new URL(input.trim());
+    const host = parsed.hostname.toLowerCase();
+    if (host !== "clawhub.ai" && host !== "www.clawhub.ai") {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function extractIdentifierCandidates(input) {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    return [];
+  }
+  const candidates = [];
+  const pushUnique = (value) => {
+    if (!value) {
+      return;
+    }
+    const normalized = value.trim();
+    if (!normalized) {
+      return;
+    }
+    if (!candidates.includes(normalized)) {
+      candidates.push(normalized);
+    }
+  };
+  try {
+    const parsed = new URL(trimmed);
+    const host = parsed.hostname.toLowerCase();
+    if (host !== "clawhub.ai" && host !== "www.clawhub.ai") {
+      return [trimmed];
+    }
+    const segments = parsed.pathname.split("/").filter(Boolean);
+    if (segments.length >= 2 && segments[0] && segments[1]) {
+      pushUnique(`${segments[0]}/${segments[1]}`);
+    }
+    if (segments.length >= 3 && segments[0]?.toLowerCase() === "skills" && segments[1] && segments[2]) {
+      pushUnique(`${segments[1]}/${segments[2]}`);
+    }
+    if (segments.length > 0) {
+      pushUnique(segments.join("/"));
+      const last = segments.at(-1);
+      pushUnique(last);
+    }
+  } catch {
+    pushUnique(trimmed);
+  }
+  return candidates;
+}
+function mapClawHubError(error, operation) {
+  if (error instanceof GuardSkillsError) {
+    return error;
+  }
+  const status = typeof error === "object" && error !== null && "status" in error ? error.status : void 0;
+  const message = typeof error === "object" && error !== null && "message" in error ? String(error.message) : String(error);
+  const lowerMessage = message.toLowerCase();
+  if (status === 401 || status === 403) {
+    return new GuardSkillsError(
+      "CLAWHUB_AUTH",
+      `${operation} failed: authentication/authorization error from ClawHub.`,
+      { status, cause: error }
+    );
+  }
+  if (status === 404) {
+    return new GuardSkillsError("CLAWHUB_NOT_FOUND", `${operation} failed: resource not found.`, {
+      status,
+      cause: error
+    });
+  }
+  if (status !== void 0 && RETRYABLE_STATUS2.has(status)) {
+    return new GuardSkillsError(
+      status === 429 ? "CLAWHUB_RATE_LIMIT" : "CLAWHUB_TRANSIENT",
+      `${operation} failed with retryable ClawHub status ${status}.`,
+      { status, retryable: true, cause: error }
+    );
+  }
+  if (lowerMessage.includes("timeout") || lowerMessage.includes("timed out") || lowerMessage.includes("abort")) {
+    return new GuardSkillsError("CLAWHUB_TIMEOUT", `${operation} timed out while calling ClawHub API.`, {
+      retryable: true,
+      cause: error
+    });
+  }
+  return new GuardSkillsError("CLAWHUB_UNKNOWN", `${operation} failed: ${message}`, {
+    status,
+    cause: error
+  });
+}
+function unwrapResponsePayload(payload) {
+  if (!payload || typeof payload !== "object") {
+    throw new GuardSkillsError("CLAWHUB_UNKNOWN", "ClawHub returned a non-object JSON payload.");
+  }
+  const objectPayload = payload;
+  if (objectPayload.data && typeof objectPayload.data === "object") {
+    return objectPayload.data;
+  }
+  return objectPayload;
+}
+async function fetchJson(url, timeoutMs) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: { accept: "application/json" },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw { status: response.status, message: `${response.status} ${response.statusText}` };
+    }
+    const payload = await response.json();
+    return unwrapResponsePayload(payload);
+  } catch (error) {
+    throw mapClawHubError(error, `ClawHub metadata fetch (${url})`);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function fetchText(url, timeoutMs) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: { accept: "text/html,application/xhtml+xml" },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw { status: response.status, message: `${response.status} ${response.statusText}` };
+    }
+    return await response.text();
+  } catch (error) {
+    throw mapClawHubError(error, `ClawHub page fetch (${url})`);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function fetchArrayBuffer(url, timeoutMs) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw { status: response.status, message: `${response.status} ${response.statusText}` };
+    }
+    return await response.arrayBuffer();
+  } catch (error) {
+    throw mapClawHubError(error, `ClawHub archive fetch (${url})`);
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function normalizeRepoRef(candidate) {
+  const trimmed = candidate.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const shorthand = trimmed.match(/^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/);
+  if (shorthand && shorthand[1] && shorthand[2]) {
+    return `${shorthand[1]}/${shorthand[2].replace(/\.git$/i, "")}`;
+  }
+  try {
+    const parsed = new URL(trimmed);
+    if (!(parsed.hostname === "github.com" || parsed.hostname === "www.github.com")) {
+      return null;
+    }
+    const parts = parsed.pathname.split("/").filter(Boolean);
+    if (parts.length < 2 || !parts[0] || !parts[1]) {
+      return null;
+    }
+    return `${parts[0]}/${parts[1].replace(/\.git$/i, "")}`;
+  } catch {
+    return null;
+  }
+}
+function getNestedString(obj, ...keys) {
+  let cursor = obj;
+  for (const key of keys) {
+    if (!cursor || typeof cursor !== "object" || !(key in cursor)) {
+      return void 0;
+    }
+    cursor = cursor[key];
+  }
+  return typeof cursor === "string" && cursor.trim() ? cursor.trim() : void 0;
+}
+function getNestedBoolean(obj, ...keys) {
+  let cursor = obj;
+  for (const key of keys) {
+    if (!cursor || typeof cursor !== "object" || !(key in cursor)) {
+      return void 0;
+    }
+    cursor = cursor[key];
+  }
+  return typeof cursor === "boolean" ? cursor : void 0;
+}
+function isLikelyTextFile2(filePath) {
+  const lower = filePath.toLowerCase();
+  if (lower.endsWith("/skill.md") || lower === "skill.md") {
+    return true;
+  }
+  const ext = path5.posix.extname(lower);
+  return ALLOWED_TEXT_EXTENSIONS3.has(ext);
+}
+function isBinaryContent2(content) {
+  return content.includes("\0");
+}
+function collectGitHubRepos(value, collected, seen) {
+  if (value === null || value === void 0) {
+    return;
+  }
+  if (typeof value === "string") {
+    const repo = normalizeRepoRef(value);
+    if (repo) {
+      collected.add(repo);
+    }
+    return;
+  }
+  if (typeof value !== "object") {
+    return;
+  }
+  if (seen.has(value)) {
+    return;
+  }
+  seen.add(value);
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      collectGitHubRepos(item, collected, seen);
+    }
+    return;
+  }
+  for (const nested of Object.values(value)) {
+    collectGitHubRepos(nested, collected, seen);
+  }
+}
+function collectPossibleSkillNames(identifier, metadata, override) {
+  const names = /* @__PURE__ */ new Set();
+  if (override?.trim()) {
+    names.add(override.trim());
+  }
+  const lastSegment = identifier.split(/[/:@]/).filter(Boolean).at(-1);
+  if (lastSegment) {
+    names.add(lastSegment);
+  }
+  const maybePush = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      names.add(value.trim());
+    }
+  };
+  maybePush(metadata.skill);
+  maybePush(metadata.slug);
+  maybePush(metadata.name);
+  maybePush(metadata.id);
+  return [...names];
+}
+function parseArchiveMetadata(metadata, identifier, requestedVersion) {
+  const ownerFromMetadata = getNestedString(metadata, "owner", "handle") ?? getNestedString(metadata, "owner") ?? getNestedString(metadata, "author") ?? getNestedString(metadata, "publisher");
+  const slugFromMetadata = getNestedString(metadata, "skill", "slug") ?? getNestedString(metadata, "slug") ?? getNestedString(metadata, "name");
+  const versionFromMetadata = requestedVersion ?? getNestedString(metadata, "latestVersion", "version") ?? getNestedString(metadata, "version");
+  const identifierParts = identifier.split("/").filter(Boolean);
+  const ownerFromIdentifier = identifierParts.length >= 2 ? identifierParts[0] : void 0;
+  const slugFromIdentifier = identifierParts.length > 0 ? identifierParts.at(-1) : void 0;
+  const owner = ownerFromMetadata ?? ownerFromIdentifier;
+  const slug = slugFromMetadata ?? slugFromIdentifier;
+  if (!owner || !slug) {
+    return null;
+  }
+  return { owner, slug, version: versionFromMetadata };
+}
+function parseClawHubModeration(metadata) {
+  const isSuspicious = getNestedBoolean(metadata, "moderation", "isSuspicious") ?? getNestedBoolean(metadata, "isSuspicious");
+  const isMalwareBlocked = getNestedBoolean(metadata, "moderation", "isMalwareBlocked") ?? getNestedBoolean(metadata, "isMalwareBlocked");
+  const isRemoved = getNestedBoolean(metadata, "moderation", "isRemoved") ?? getNestedBoolean(metadata, "isRemoved");
+  if (isSuspicious === void 0 && isMalwareBlocked === void 0 && isRemoved === void 0) {
+    return void 0;
+  }
+  return { isSuspicious, isMalwareBlocked, isRemoved };
+}
+async function resolveSkillFromArchive(metadata, identifier, options) {
+  const archiveMeta = parseArchiveMetadata(metadata, identifier, options.version);
+  if (!archiveMeta) {
+    return null;
+  }
+  const timeoutMs = options.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS2;
+  const maxFileSizeBytes = options.maxFileSizeBytes ?? DEFAULT_MAX_FILE_SIZE_BYTES;
+  const maxTotalFiles = options.maxTotalFiles ?? DEFAULT_MAX_TOTAL_FILES;
+  const params = new URLSearchParams({ slug: archiveMeta.slug });
+  if (archiveMeta.version) {
+    params.set("version", archiveMeta.version);
+  }
+  const downloadUrl = `${DEFAULT_ARCHIVE_BASE_URL}/api/v1/download?${params.toString()}`;
+  const archiveBuffer = await fetchArrayBuffer(downloadUrl, timeoutMs);
+  const zip = await JSZip.loadAsync(Buffer.from(archiveBuffer));
+  const files = new Array();
+  const unverifiableReasons = [];
+  let skillFilePath = null;
+  const entries = Object.values(zip.files);
+  for (const entry of entries) {
+    if (entry.dir) {
+      continue;
+    }
+    const normalizedPath = entry.name.replace(/\\/g, "/");
+    if (!isLikelyTextFile2(normalizedPath)) {
+      continue;
+    }
+    if (files.length >= maxTotalFiles) {
+      unverifiableReasons.push(
+        `Resolved archive file count exceeds maxTotalFiles=${maxTotalFiles}; scan truncated.`
+      );
+      break;
+    }
+    const contentBuffer = await entry.async("nodebuffer");
+    if (contentBuffer.length > maxFileSizeBytes) {
+      unverifiableReasons.push(
+        `File too large to scan safely: ${normalizedPath}`
+      );
+      continue;
+    }
+    const content = contentBuffer.toString("utf8");
+    if (isBinaryContent2(content)) {
+      unverifiableReasons.push(`Binary content detected: ${normalizedPath}`);
+      continue;
+    }
+    files.push({ path: normalizedPath, content });
+    if (!skillFilePath && normalizedPath.toLowerCase().endsWith("/skill.md")) {
+      skillFilePath = normalizedPath;
+    }
+    if (!skillFilePath && normalizedPath.toLowerCase() === "skill.md") {
+      skillFilePath = normalizedPath;
+    }
+  }
+  if (!skillFilePath) {
+    skillFilePath = files.find((file) => file.path.toLowerCase().endsWith("skill.md"))?.path ?? null;
+  }
+  if (!skillFilePath || files.length === 0) {
+    return null;
+  }
+  const moderation = parseClawHubModeration(metadata);
+  return {
+    source: `clawhub:${archiveMeta.owner}/${archiveMeta.slug}${archiveMeta.version ? `@${archiveMeta.version}` : ""}`,
+    owner: archiveMeta.owner,
+    repo: "clawhub-archive",
+    defaultBranch: "archive",
+    commitSha: archiveMeta.version ?? "archive",
+    skillName: options.skillNameOverride ?? archiveMeta.slug,
+    skillDir: path5.posix.dirname(skillFilePath),
+    skillFilePath,
+    files,
+    unverifiableReasons: [...unverifiableReasons],
+    sourceMetadata: moderation ? {
+      clawhubModeration: moderation
+    } : void 0
+  };
+}
+function extractMetadataFromClawHubPage(html, pageUrl) {
+  const metadata = {};
+  const githubUrlMatch = html.match(/https?:\/\/github\.com\/([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)/i);
+  if (githubUrlMatch?.[1] && githubUrlMatch[2]) {
+    metadata.repository = `https://github.com/${githubUrlMatch[1]}/${githubUrlMatch[2]}`;
+  }
+  const directRepoMatch = html.match(/"repository"\s*:\s*"([^"]+)"/i);
+  if (directRepoMatch?.[1]) {
+    metadata.repository = directRepoMatch[1];
+  }
+  const pathnameParts = pageUrl.pathname.split("/").filter(Boolean);
+  if (pathnameParts.length >= 2 && pathnameParts[1]) {
+    metadata.skill = pathnameParts[1];
+  }
+  return Object.keys(metadata).length > 0 ? metadata : null;
+}
+async function resolveFromClawHubPageUrl(input, timeoutMs) {
+  const parsed = tryParseClawHubUrl(input);
+  if (!parsed) {
+    return null;
+  }
+  const html = await fetchText(parsed.toString(), timeoutMs);
+  return extractMetadataFromClawHubPage(html, parsed);
+}
+async function resolveSkillFromClawHub(identifier, options = {}) {
+  const identifierCandidates = extractIdentifierCandidates(identifier);
+  if (identifierCandidates.length === 0) {
+    throw new GuardSkillsError("CLAWHUB_UNKNOWN", "ClawHub identifier is required.");
+  }
+  const requestTimeoutMs = options.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS2;
+  const registryBaseUrl = normalizeRegistryBaseUrl(options.registryBaseUrl);
+  let metadata = null;
+  let resolvedIdentifier = null;
+  let lastError = null;
+  for (const identifierCandidate of identifierCandidates) {
+    const candidateUrls = toApiCandidates(registryBaseUrl, identifierCandidate);
+    for (const url of candidateUrls) {
+      try {
+        metadata = await fetchJson(url, requestTimeoutMs);
+        resolvedIdentifier = identifierCandidate;
+        break;
+      } catch (error) {
+        const mapped = mapClawHubError(error, "ClawHub package lookup");
+        lastError = mapped;
+        if (mapped.code !== "CLAWHUB_NOT_FOUND") {
+          break;
+        }
+      }
+    }
+    if (metadata) {
+      break;
+    }
+  }
+  if (!metadata) {
+    try {
+      metadata = await resolveFromClawHubPageUrl(identifier, requestTimeoutMs);
+      if (metadata) {
+        resolvedIdentifier = identifierCandidates[0] ?? identifier;
+      }
+    } catch (error) {
+      lastError = mapClawHubError(error, "ClawHub skill page fallback");
+    }
+  }
+  if (!metadata) {
+    if (lastError) {
+      throw lastError;
+    }
+    throw new GuardSkillsError(
+      "CLAWHUB_NOT_FOUND",
+      `Unable to resolve '${identifier}' from ClawHub. Candidates tried: ${identifierCandidates.join(", ")}.`
+    );
+  }
+  const canonicalIdentifier = resolvedIdentifier ?? identifierCandidates[0] ?? identifier;
+  const repos = /* @__PURE__ */ new Set();
+  collectGitHubRepos(metadata, repos, /* @__PURE__ */ new Set());
+  const skillCandidates = collectPossibleSkillNames(canonicalIdentifier, metadata, options.skillNameOverride);
+  if (skillCandidates.length === 0) {
+    throw new GuardSkillsError(
+      "CLAWHUB_UNKNOWN",
+      `Could not infer skill name for ClawHub package '${canonicalIdentifier}'. Use --skill.`
+    );
+  }
+  let resolved = null;
+  let resolveError;
+  const githubOptions = {
+    requestTimeoutMs: options.requestTimeoutMs,
+    maxFileSizeBytes: options.maxFileSizeBytes,
+    maxAuxFiles: options.maxAuxFiles,
+    maxTotalFiles: options.maxTotalFiles,
+    retries: options.retries,
+    retryBaseDelayMs: options.retryBaseDelayMs
+  };
+  if (repos.size > 0) {
+    for (const repo of repos) {
+      for (const skillName of skillCandidates) {
+        try {
+          resolved = await resolveSkillFromGitHub(repo, skillName, githubOptions);
+          break;
+        } catch (error) {
+          resolveError = error;
+        }
+      }
+      if (resolved) {
+        break;
+      }
+    }
+  }
+  if (!resolved) {
+    const archiveResolved = await resolveSkillFromArchive(metadata, canonicalIdentifier, options);
+    if (archiveResolved) {
+      return archiveResolved;
+    }
+    if (repos.size === 0) {
+      throw new GuardSkillsError(
+        "CLAWHUB_UNKNOWN",
+        `ClawHub package '${canonicalIdentifier}' did not expose a resolvable GitHub source or archive payload.`
+      );
+    }
+    throw new GuardSkillsError(
+      "SKILL_NOT_FOUND",
+      `Unable to map ClawHub package '${canonicalIdentifier}' to a GitHub skill. Repos tried: ${[...repos].join(", ")}. Skill names tried: ${skillCandidates.join(", ")}.`,
+      { cause: resolveError }
+    );
+  }
+  const packageVersion = options.version ?? (typeof metadata.version === "string" ? metadata.version : void 0);
+  const sourceSuffix = packageVersion ? `${canonicalIdentifier}@${packageVersion}` : canonicalIdentifier;
+  const moderation = parseClawHubModeration(metadata);
+  return {
+    ...resolved,
+    source: `clawhub:${sourceSuffix}`,
+    unverifiableReasons: [...resolved.unverifiableReasons],
+    sourceMetadata: moderation ? {
+      ...resolved.sourceMetadata ?? {},
+      clawhubModeration: moderation
+    } : resolved.sourceMetadata
+  };
+}
+
+// src/commands/scan-clawhub.ts
+var cliScanClawHubOptionsSchema = z4.object({
+  config: z4.string().optional(),
+  strict: z4.boolean().optional(),
+  json: z4.boolean().optional(),
+  skill: z4.string().min(1).optional(),
+  version: z4.string().min(1).optional(),
+  clawhubRegistry: z4.string().min(1).optional(),
+  githubTimeoutMs: z4.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: z4.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: z4.coerce.number().int().min(50).max(5e3).optional(),
+  maxFileBytes: z4.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: z4.coerce.number().int().min(1).max(200).optional(),
+  maxTotalFiles: z4.coerce.number().int().min(1).max(400).optional()
+});
+var effectiveScanClawHubOptionsSchema = z4.object({
+  strict: z4.boolean(),
+  json: z4.boolean(),
+  skill: z4.string().min(1).optional(),
+  version: z4.string().min(1).optional(),
+  clawhubRegistry: z4.string().min(1),
+  githubTimeoutMs: z4.number().int().min(1e3).max(12e4),
+  githubRetries: z4.number().int().min(0).max(6),
+  githubRetryBaseMs: z4.number().int().min(50).max(5e3),
+  maxFileBytes: z4.number().int().min(4096).max(5e6),
+  maxAuxFiles: z4.number().int().min(1).max(200),
+  maxTotalFiles: z4.number().int().min(1).max(400)
+});
+var DEFAULT_OPTIONS3 = {
+  strict: false,
+  json: false,
+  skill: void 0,
+  version: void 0,
+  clawhubRegistry: "https://clawhub.ai",
+  githubTimeoutMs: 15e3,
+  githubRetries: 2,
+  githubRetryBaseMs: 300,
+  maxFileBytes: 25e4,
+  maxAuxFiles: 40,
+  maxTotalFiles: 120
+};
+function alignWithClawHubModeration(baseDecision, moderation) {
+  if (!moderation) {
+    return { decision: baseDecision };
+  }
+  if (moderation.isMalwareBlocked) {
+    return {
+      decision: {
+        ...baseDecision,
+        riskScore: 100,
+        safetyScore: 0,
+        level: "CRITICAL",
+        reason: "ClawHub moderation marked this skill as malware-blocked."
+      },
+      moderationNote: "Aligned with ClawHub moderation: malware-blocked."
+    };
+  }
+  if (moderation.isSuspicious && baseDecision.level === "SAFE") {
+    const adjustedRisk = Math.max(baseDecision.riskScore ?? 0, 30);
+    return {
+      decision: {
+        ...baseDecision,
+        riskScore: adjustedRisk,
+        safetyScore: 100 - adjustedRisk,
+        level: "WARNING",
+        reason: "ClawHub moderation marked this skill as suspicious."
+      },
+      moderationNote: "Aligned with ClawHub moderation: suspicious."
+    };
+  }
+  return { decision: baseDecision };
+}
+function resolveEffectiveScanClawHubOptions(cliOptions, config) {
+  const defaults = config.defaults ?? {};
+  const resolver = config.resolver ?? {};
+  return effectiveScanClawHubOptionsSchema.parse({
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS3.strict,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS3.json,
+    skill: cliOptions.skill ?? DEFAULT_OPTIONS3.skill,
+    version: cliOptions.version ?? DEFAULT_OPTIONS3.version,
+    clawhubRegistry: cliOptions.clawhubRegistry ?? DEFAULT_OPTIONS3.clawhubRegistry,
+    githubTimeoutMs: cliOptions.githubTimeoutMs ?? resolver.githubTimeoutMs ?? DEFAULT_OPTIONS3.githubTimeoutMs,
+    githubRetries: cliOptions.githubRetries ?? resolver.githubRetries ?? DEFAULT_OPTIONS3.githubRetries,
+    githubRetryBaseMs: cliOptions.githubRetryBaseMs ?? resolver.githubRetryBaseMs ?? DEFAULT_OPTIONS3.githubRetryBaseMs,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS3.maxFileBytes,
+    maxAuxFiles: cliOptions.maxAuxFiles ?? resolver.maxAuxFiles ?? DEFAULT_OPTIONS3.maxAuxFiles,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS3.maxTotalFiles
+  });
+}
+async function runScanClawHubCommand(identifier, rawOptions) {
+  const cliOptions = cliScanClawHubOptionsSchema.parse(rawOptions);
+  const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const options = resolveEffectiveScanClawHubOptions(cliOptions, loadedConfig.config);
+  const resolved = await resolveSkillFromClawHub(identifier, {
+    registryBaseUrl: options.clawhubRegistry,
+    version: options.version,
+    skillNameOverride: options.skill,
+    requestTimeoutMs: options.githubTimeoutMs,
+    retries: options.githubRetries,
+    retryBaseDelayMs: options.githubRetryBaseMs,
+    maxFileSizeBytes: options.maxFileBytes,
+    maxAuxFiles: options.maxAuxFiles,
+    maxTotalFiles: options.maxTotalFiles
+  });
+  const scan = scanResolvedSkill(resolved);
+  const baseDecision = calculateRiskScore(scan.findings, {
+    strict: options.strict,
+    trustCredits: 0,
+    hasUnverifiableContent: scan.hasUnverifiableContent
+  });
+  const moderation = resolved.sourceMetadata?.clawhubModeration;
+  const { decision, moderationNote } = alignWithClawHubModeration(baseDecision, moderation);
+  const noteParts = ["ClawHub scan complete."];
+  if (moderationNote) {
+    noteParts.push(moderationNote);
+  }
+  if (decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE") {
+    noteParts.push("Blocked-level risk detected.");
+  }
+  if (loadedConfig.path) {
+    noteParts.push(`Config: ${loadedConfig.path}`);
+  }
+  const report = {
+    command: "guardskills scan-clawhub",
+    identifier,
+    registry: options.clawhubRegistry,
+    strict: options.strict,
+    configPath: loadedConfig.path ?? void 0,
+    decision,
+    scanFiles: resolved.files.map((file) => file.path),
+    skillDir: resolved.skillDir,
+    repo: `${resolved.owner}/${resolved.repo}`,
+    skill: resolved.skillName,
+    version: options.version,
+    commitSha: resolved.commitSha,
+    moderation,
+    unverifiableReasons: scan.unverifiableReasons,
+    note: noteParts.join(" ")
+  };
+  if (options.json) {
+    printJsonClawHubReport(report);
+  } else {
+    printHumanClawHubReport(report);
+  }
+  return decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE" ? 20 : 0;
+}
+
+// src/commands/scan-local.ts
+import fs3 from "fs";
+import path6 from "path";
+import { z as z5 } from "zod";
+var ALLOWED_TEXT_EXTENSIONS4 = /* @__PURE__ */ new Set([
+  ".md",
+  ".txt",
+  ".sh",
+  ".bash",
+  ".zsh",
+  ".ps1",
+  ".py",
+  ".js",
+  ".ts",
+  ".mjs",
+  ".cjs",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".ini",
+  ".cfg"
+]);
+var SKIP_DIRS2 = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".turbo"]);
+var cliScanLocalOptionsSchema = z5.object({
+  config: z5.string().optional(),
+  strict: z5.boolean().optional(),
+  json: z5.boolean().optional(),
+  skill: z5.string().min(1).optional(),
+  maxFileBytes: z5.coerce.number().int().min(4096).max(5e6).optional(),
+  maxTotalFiles: z5.coerce.number().int().min(1).max(400).optional()
+});
+var effectiveScanLocalOptionsSchema = z5.object({
+  strict: z5.boolean(),
+  json: z5.boolean(),
+  skill: z5.string().min(1).optional(),
+  maxFileBytes: z5.number().int().min(4096).max(5e6),
+  maxTotalFiles: z5.number().int().min(1).max(400)
+});
+var DEFAULT_OPTIONS4 = {
+  strict: false,
+  json: false,
+  skill: void 0,
+  maxFileBytes: 25e4,
+  maxTotalFiles: 120
+};
+function toPosixPath(filePath) {
+  return filePath.replace(/\\/g, "/");
+}
+function getNearbyPathSuggestions(targetPath) {
+  const parent = path6.dirname(targetPath);
+  if (!fs3.existsSync(parent)) {
+    return [];
+  }
+  const needle = path6.basename(targetPath).toLowerCase();
+  const suggestions = [];
+  for (const entry of fs3.readdirSync(parent, { withFileTypes: true })) {
+    if (entry.name.toLowerCase().includes(needle)) {
+      suggestions.push(path6.join(parent, entry.name));
+    }
+  }
+  return suggestions.slice(0, 5);
+}
+function isSkillFile(filePath) {
+  return path6.basename(filePath).toLowerCase() === "skill.md";
+}
+function isScannableTextFile(filePath) {
+  if (isSkillFile(filePath)) {
+    return true;
+  }
+  const ext = path6.extname(filePath).toLowerCase();
+  return ALLOWED_TEXT_EXTENSIONS4.has(ext);
+}
+function findSkillDirs2(rootDir) {
+  const found = /* @__PURE__ */ new Set();
+  const stack = [{ dir: rootDir, depth: 0 }];
+  let seen = 0;
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (!current) {
+      continue;
+    }
+    seen += 1;
+    if (seen > 5e3) {
+      break;
+    }
+    const skillFile = path6.join(current.dir, "SKILL.md");
+    if (fs3.existsSync(skillFile) && fs3.statSync(skillFile).isFile()) {
+      found.add(current.dir);
+      continue;
+    }
+    if (current.depth >= 8) {
+      continue;
+    }
+    let entries;
+    try {
+      entries = fs3.readdirSync(current.dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      if (SKIP_DIRS2.has(entry.name)) {
+        continue;
+      }
+      stack.push({ dir: path6.join(current.dir, entry.name), depth: current.depth + 1 });
+    }
+  }
+  return [...found].sort();
+}
+function formatCandidates(candidates) {
+  return candidates.map((candidate) => `- ${toPosixPath(candidate)}`).join("\n");
+}
+function resolveSkillDirectory(inputPath, preferredSkillName) {
+  const absoluteInput = path6.resolve(inputPath);
+  if (!fs3.existsSync(absoluteInput)) {
+    const suggestions = getNearbyPathSuggestions(absoluteInput);
+    const suggestionText = suggestions.length > 0 ? `
+Nearby paths:
+${formatCandidates(suggestions)}` : "";
+    throw new GuardSkillsError(
+      "INVALID_LOCAL_PATH",
+      `Local path not found: ${toPosixPath(absoluteInput)}${suggestionText}`
+    );
+  }
+  const stat = fs3.statSync(absoluteInput);
+  if (stat.isFile()) {
+    if (!isSkillFile(absoluteInput)) {
+      throw new GuardSkillsError(
+        "INVALID_LOCAL_PATH",
+        "Local scan expects a directory or a SKILL.md file path."
+      );
+    }
+    return {
+      skillDir: path6.dirname(absoluteInput),
+      note: "Using parent directory of provided SKILL.md file."
+    };
+  }
+  const directSkillFile = path6.join(absoluteInput, "SKILL.md");
+  if (fs3.existsSync(directSkillFile) && fs3.statSync(directSkillFile).isFile()) {
+    return { skillDir: absoluteInput };
+  }
+  const discovered = findSkillDirs2(absoluteInput);
+  if (discovered.length === 0) {
+    throw new GuardSkillsError(
+      "INVALID_LOCAL_PATH",
+      `No SKILL.md found under: ${toPosixPath(absoluteInput)}`
+    );
+  }
+  if (preferredSkillName) {
+    const matches = discovered.filter(
+      (directory) => path6.basename(directory).toLowerCase() === preferredSkillName.toLowerCase()
+    );
+    if (matches.length === 1) {
+      const selected = matches[0];
+      if (!selected) {
+        throw new GuardSkillsError("INVALID_LOCAL_PATH", "Unable to resolve selected local skill.");
+      }
+      return {
+        skillDir: selected,
+        note: `Auto-selected skill '${preferredSkillName}' under the provided path.`
+      };
+    }
+    const available = discovered.map((directory) => path6.basename(directory));
+    throw new GuardSkillsError(
+      "INVALID_LOCAL_PATH",
+      `Requested --skill '${preferredSkillName}' was not found.
+Available skills: ${available.join(", ")}`
+    );
+  }
+  if (discovered.length === 1) {
+    const selected = discovered[0];
+    if (!selected) {
+      throw new GuardSkillsError("INVALID_LOCAL_PATH", "Unable to resolve discovered local skill.");
+    }
+    return {
+      skillDir: selected,
+      note: "Auto-selected the only SKILL.md found under the provided path."
+    };
+  }
+  throw new GuardSkillsError(
+    "INVALID_LOCAL_PATH",
+    `Multiple skills found under path. Provide --skill <name>.
+${formatCandidates(discovered)}`
+  );
+}
+function collectLocalFiles2(skillDir, options) {
+  const files = [];
+  const unverifiableReasons = [];
+  const stack = [skillDir];
+  while (stack.length > 0) {
+    const currentDir = stack.pop();
+    if (!currentDir) {
+      continue;
+    }
+    let entries;
+    try {
+      entries = fs3.readdirSync(currentDir, { withFileTypes: true });
+    } catch {
+      unverifiableReasons.push(`Cannot read directory: ${toPosixPath(currentDir)}`);
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = path6.join(currentDir, entry.name);
+      if (entry.isDirectory()) {
+        if (!SKIP_DIRS2.has(entry.name)) {
+          stack.push(fullPath);
+        }
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+      const relativePath = toPosixPath(path6.relative(skillDir, fullPath));
+      if (!isScannableTextFile(relativePath)) {
+        continue;
+      }
+      if (files.length >= options.maxTotalFiles) {
+        unverifiableReasons.push(
+          `Reached maxTotalFiles=${options.maxTotalFiles}. Remaining files were not scanned.`
+        );
+        return { files, unverifiableReasons };
+      }
+      let sizeBytes = 0;
+      try {
+        sizeBytes = fs3.statSync(fullPath).size;
+      } catch {
+        unverifiableReasons.push(`Cannot stat file: ${relativePath}`);
+        continue;
+      }
+      if (sizeBytes > options.maxFileBytes) {
+        unverifiableReasons.push(
+          `Skipped oversized file (${sizeBytes} bytes > ${options.maxFileBytes}): ${relativePath}`
+        );
+        continue;
+      }
+      try {
+        files.push({
+          path: relativePath,
+          content: fs3.readFileSync(fullPath, "utf8")
+        });
+      } catch {
+        unverifiableReasons.push(`Cannot read text content: ${relativePath}`);
+      }
+    }
+  }
+  return { files, unverifiableReasons };
+}
+function resolveEffectiveScanLocalOptions(cliOptions, config) {
+  const defaults = config.defaults ?? {};
+  const resolver = config.resolver ?? {};
+  return effectiveScanLocalOptionsSchema.parse({
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS4.strict,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS4.json,
+    skill: cliOptions.skill ?? DEFAULT_OPTIONS4.skill,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS4.maxFileBytes,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS4.maxTotalFiles
+  });
+}
+async function runScanLocalCommand(inputPath, rawOptions) {
+  const cliOptions = cliScanLocalOptionsSchema.parse(rawOptions);
+  const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const options = resolveEffectiveScanLocalOptions(cliOptions, loadedConfig.config);
+  const target = resolveSkillDirectory(inputPath, options.skill);
+  const { files, unverifiableReasons } = collectLocalFiles2(target.skillDir, options);
+  if (files.length === 0) {
+    throw new GuardSkillsError(
+      "INVALID_LOCAL_PATH",
+      `No scannable text files found in: ${toPosixPath(target.skillDir)}`
+    );
+  }
+  const resolvedSkill = {
+    source: `local:${toPosixPath(target.skillDir)}`,
+    owner: "local",
+    repo: "local",
+    defaultBranch: "local",
+    commitSha: "local",
+    skillName: options.skill ?? path6.basename(target.skillDir),
+    skillDir: toPosixPath(target.skillDir),
+    skillFilePath: "SKILL.md",
+    files,
+    unverifiableReasons
+  };
+  const scan = scanResolvedSkill(resolvedSkill);
+  const decision = calculateRiskScore(scan.findings, {
+    strict: options.strict,
+    trustCredits: 0,
+    hasUnverifiableContent: scan.hasUnverifiableContent
+  });
+  const noteParts = ["Local scan complete."];
+  if (target.note) {
+    noteParts.push(target.note);
+  }
+  if (decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE") {
+    noteParts.push("Blocked-level risk detected.");
+  }
+  if (loadedConfig.path) {
+    noteParts.push(`Config: ${loadedConfig.path}`);
+  }
+  const report = {
+    command: "guardskills scan-local",
+    inputPath,
+    strict: options.strict,
+    configPath: loadedConfig.path ?? void 0,
+    decision,
+    scanFiles: resolvedSkill.files.map((file) => file.path),
+    skillDir: resolvedSkill.skillDir,
+    unverifiableReasons: scan.unverifiableReasons,
+    note: noteParts.join(" ")
+  };
+  if (options.json) {
+    printJsonLocalReport(report);
+  } else {
+    printHumanLocalReport(report);
+  }
+  return decision.level === "UNSAFE" || decision.level === "CRITICAL" || decision.level === "UNVERIFIABLE" ? 20 : 0;
 }
 
 // src/cli.ts
+function withCommonAddOptions(command, requireSkill) {
+  const configured = command.option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--ci", "Deterministic CI mode: scan + gate only, no install handoff").option("--json", "Output machine-readable JSON").option("--yes", "Auto-confirm warnings").option("--dry-run", "Scan only, do not install").option("--force", "Override UNSAFE outcome").option("--allow-unverifiable", "Override UNVERIFIABLE outcome").option("--github-timeout-ms <ms>", "GitHub API request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable GitHub errors").option("--github-retry-base-ms <ms>", "Base backoff delay for GitHub retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan");
+  return requireSkill ? configured.requiredOption("--skill <name>", "Skill name to install") : configured.option("--skill <name>", "Skill name to install");
+}
 async function main() {
   const program = new Command();
-  program.name("guardskills").description("Security wrapper around skills add").version("1.0.0");
-  program.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo").requiredOption("--skill <name>", "Skill name to install").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--ci", "Deterministic CI mode: scan + gate only, no install handoff").option("--json", "Output machine-readable JSON").option("--yes", "Auto-confirm warnings").option("--dry-run", "Scan only, do not install").option("--force", "Override UNSAFE outcome").option("--allow-unverifiable", "Override UNVERIFIABLE outcome").option("--github-timeout-ms <ms>", "GitHub API request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable GitHub errors").option("--github-retry-base-ms <ms>", "Base backoff delay for GitHub retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan").action(async (repo, options) => {
-    const code = await runAddCommand(repo, options);
+  program.name("guardskills").description("Security wrapper around skill installation CLIs").version("1.1.0");
+  const legacyAdd = program.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo");
+  withCommonAddOptions(legacyAdd, true).action(
+    async (repo, options) => {
+      const code = await runAddCommand(repo, options);
+      process.exitCode = code;
+    }
+  );
+  const skills = program.command("skills").description("Guarded wrapper for skills.sh install commands");
+  withCommonAddOptions(
+    skills.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo"),
+    false
+  ).action(async (repo, options) => {
+    const resolvedSkill = typeof options.skill === "string" ? options.skill : void 0;
+    const code = resolvedSkill ? await runAddCommand(repo, options, {
+      provider: "skills",
+      commandName: "guardskills skills add"
+    }) : await runInteractiveInstallCommand("skills", repo, void 0, options);
+    process.exitCode = code;
+  });
+  const playbooks = program.command("playbooks").description("Guarded wrapper for Playbooks install commands");
+  withCommonAddOptions(
+    playbooks.command("add").description("Scan a skill source and conditionally install it via Playbooks CLI").argument("<resource>", "Playbooks resource type (must be 'skill')").argument("<repo>", "GitHub repository URL or owner/repo"),
+    true
+  ).action(async (resource, repo, options) => {
+    if (resource !== "skill") {
+      throw new GuardSkillsError(
+        "INVALID_OPTIONS",
+        `Unsupported playbooks resource '${resource}'. Use: guardskills playbooks add skill <repo> --skill <name>`
+      );
+    }
+    const code = await runAddCommand(repo, options, {
+      provider: "playbooks",
+      commandName: "guardskills playbooks add skill"
+    });
+    process.exitCode = code;
+  });
+  const openskills = program.command("openskills").description("Guarded wrapper for OpenSkills install commands");
+  withCommonAddOptions(
+    openskills.command("install").description("Scan a skill source and conditionally install it via OpenSkills CLI").argument("<repo>", "GitHub repository URL or owner/repo").argument("[skill]", "Skill name to install"),
+    false
+  ).action(async (repo, skill, options) => {
+    const resolvedSkill = skill ?? (typeof options.skill === "string" ? options.skill : void 0);
+    const code = await runInteractiveInstallCommand("openskills", repo, resolvedSkill, options);
+    process.exitCode = code;
+  });
+  const skillkit = program.command("skillkit").description("Guarded wrapper for skillkit install commands");
+  withCommonAddOptions(
+    skillkit.command("install").description("Scan a skill source and conditionally install it via skillkit CLI").argument("<repo>", "GitHub repository URL or owner/repo").argument("[skill]", "Skill name to install"),
+    false
+  ).action(async (repo, skill, options) => {
+    const resolvedSkill = skill ?? (typeof options.skill === "string" ? options.skill : void 0);
+    const code = await runInteractiveInstallCommand("skillkit", repo, resolvedSkill, options);
+    process.exitCode = code;
+  });
+  program.command("scan-local").description("Scan a local skill folder and print a risk decision").argument("<path>", "Local folder path (or SKILL.md file path)").option("--skill <name>", "Skill directory name when path contains multiple skills").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-total-files <count>", "Max total files to scan").action(async (repo, options) => {
+    const code = await runScanLocalCommand(repo, options);
     process.exitCode = code;
   });
-  program.command("scan-local").description("Scan a local skill folder and print a risk decision").argument("<path>", "Local folder path (or SKILL.md file path)").option("--skill <name>", "Skill directory name when path contains multiple skills").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-total-files <count>", "Max total files to scan").action(async (inputPath, options) => {
-    const code = await runScanLocalCommand(inputPath, options);
+  program.command("scan-clawhub").description("Scan a ClawHub skill package and print a risk decision").argument("<identifier>", "ClawHub package identifier").option("--skill <name>", "Override skill folder name to resolve in source repository").option("--version <version>", "Preferred package version/tag").option("--clawhub-registry <url>", "ClawHub registry base URL").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--github-timeout-ms <ms>", "Upstream resolver request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable upstream errors").option("--github-retry-base-ms <ms>", "Base backoff delay for upstream retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan").action(async (identifier, options) => {
+    const code = await runScanClawHubCommand(identifier, options);
     process.exitCode = code;
   });
   await program.parseAsync(process.argv);