guardskills 1.1.0 → 1.2.1

package/dist/cli.cjs

@@ -200,9 +200,13 @@ function enforceSourcePolicy(repoInput, policy) {
 
 // src/install/skills.ts
 var import_execa = require("execa");
-async function runSkillsInstall(repo, skill) {
+async function runProviderInstall(provider, repo, skill) {
+  if (provider === "playbooks" && !skill) {
+    return 30;
+  }
+  const args = provider === "skills" ? skill ? ["skills", "add", repo, "--skill", skill] : ["skills", "add", repo] : provider === "playbooks" ? ["playbooks", "add", "skill", repo, "--skill", skill] : provider === "skillkit" ? skill ? ["skillkit", "install", repo, "--skill", skill] : ["skillkit", "install", repo] : skill ? ["openskills", "install", repo, skill] : ["openskills", "install", repo];
   try {
-    await (0, import_execa.execa)("npx", ["skills", "add", repo, "--skill", skill], {
+    await (0, import_execa.execa)("npx", args, {
       stdio: "inherit"
     });
     return 0;
@@ -1067,6 +1071,22 @@ var cliAddOptionsSchema = import_zod2.z.object({
   maxAuxFiles: import_zod2.z.coerce.number().int().min(1).max(200).optional(),
   maxTotalFiles: import_zod2.z.coerce.number().int().min(1).max(400).optional()
 });
+var cliBulkAddOptionsSchema = import_zod2.z.object({
+  config: import_zod2.z.string().optional(),
+  strict: import_zod2.z.boolean().optional(),
+  ci: import_zod2.z.boolean().optional(),
+  json: import_zod2.z.boolean().optional(),
+  yes: import_zod2.z.boolean().optional(),
+  dryRun: import_zod2.z.boolean().optional(),
+  force: import_zod2.z.boolean().optional(),
+  allowUnverifiable: import_zod2.z.boolean().optional(),
+  githubTimeoutMs: import_zod2.z.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: import_zod2.z.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: import_zod2.z.coerce.number().int().min(50).max(5e3).optional(),
+  maxFileBytes: import_zod2.z.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: import_zod2.z.coerce.number().int().min(1).max(200).optional(),
+  maxTotalFiles: import_zod2.z.coerce.number().int().min(1).max(400).optional()
+});
 var effectiveAddOptionsSchema = import_zod2.z.object({
   skill: import_zod2.z.string().min(1),
   strict: import_zod2.z.boolean(),
@@ -1186,9 +1206,11 @@ function evaluateGate(level, options) {
     gateNote: level === "WARNING" ? "WARNING accepted via --yes." : "SAFE to proceed."
   };
 }
-async function runAddCommand(repo, rawOptions) {
+async function runAddCommand(repo, rawOptions, context = {}) {
   const cliOptions = cliAddOptionsSchema.parse(rawOptions);
   const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const provider = context.provider ?? "skills";
+  const commandName = context.commandName ?? "guardskills add";
   const options = resolveEffectiveAddOptions(cliOptions, loadedConfig.config);
   enforceSourcePolicy(repo, loadedConfig.config.policy);
   enforceOptionPolicy(options, loadedConfig.config);
@@ -1209,7 +1231,7 @@ async function runAddCommand(repo, rawOptions) {
   const gate = evaluateGate(decision.level, options);
   const configNote = loadedConfig.path ? ` Config: ${loadedConfig.path}` : "";
   const report = {
-    command: "guardskills add",
+    command: commandName,
     repo,
     skill: options.skill,
     strict: options.strict,
@@ -1234,14 +1256,353 @@ async function runAddCommand(repo, rawOptions) {
   if (options.dryRun || options.ci) {
     return 0;
   }
-  return runSkillsInstall(repo, options.skill);
+  return runProviderInstall(provider, repo, options.skill);
 }
 
-// src/commands/scan-clawhub.ts
+// src/commands/openskills-install.ts
+var import_node_fs2 = __toESM(require("fs"), 1);
+var import_node_os = __toESM(require("os"), 1);
+var import_node_path4 = __toESM(require("path"), 1);
+var import_execa2 = require("execa");
 var import_zod3 = require("zod");
+var ALLOWED_TEXT_EXTENSIONS2 = /* @__PURE__ */ new Set([
+  ".md",
+  ".txt",
+  ".sh",
+  ".bash",
+  ".zsh",
+  ".ps1",
+  ".py",
+  ".js",
+  ".ts",
+  ".mjs",
+  ".cjs",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".ini",
+  ".cfg"
+]);
+var SKIP_DIRS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".turbo"]);
+var cliOpenSkillsOptionsSchema = import_zod3.z.object({
+  config: import_zod3.z.string().optional(),
+  strict: import_zod3.z.boolean().optional(),
+  ci: import_zod3.z.boolean().optional(),
+  json: import_zod3.z.boolean().optional(),
+  yes: import_zod3.z.boolean().optional(),
+  dryRun: import_zod3.z.boolean().optional(),
+  force: import_zod3.z.boolean().optional(),
+  allowUnverifiable: import_zod3.z.boolean().optional(),
+  githubTimeoutMs: import_zod3.z.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: import_zod3.z.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: import_zod3.z.coerce.number().int().min(50).max(5e3).optional(),
+  maxFileBytes: import_zod3.z.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: import_zod3.z.coerce.number().int().min(1).max(200).optional(),
+  maxTotalFiles: import_zod3.z.coerce.number().int().min(1).max(400).optional()
+});
+var DEFAULT_OPTIONS2 = {
+  strict: false,
+  ci: false,
+  json: false,
+  yes: false,
+  dryRun: false,
+  force: false,
+  allowUnverifiable: false,
+  githubTimeoutMs: 15e3,
+  githubRetries: 2,
+  githubRetryBaseMs: 300,
+  maxFileBytes: 25e4,
+  maxAuxFiles: 40,
+  maxTotalFiles: 120
+};
+function resolveEffectiveOptions(cliOptions, config) {
+  const defaults = config.defaults ?? {};
+  const resolver = config.resolver ?? {};
+  return {
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS2.strict,
+    ci: cliOptions.ci ?? defaults.ci ?? DEFAULT_OPTIONS2.ci,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS2.json,
+    yes: cliOptions.yes ?? defaults.yes ?? DEFAULT_OPTIONS2.yes,
+    dryRun: cliOptions.dryRun ?? defaults.dryRun ?? DEFAULT_OPTIONS2.dryRun,
+    force: cliOptions.force ?? defaults.force ?? DEFAULT_OPTIONS2.force,
+    allowUnverifiable: cliOptions.allowUnverifiable ?? defaults.allowUnverifiable ?? DEFAULT_OPTIONS2.allowUnverifiable,
+    githubTimeoutMs: cliOptions.githubTimeoutMs ?? resolver.githubTimeoutMs ?? DEFAULT_OPTIONS2.githubTimeoutMs,
+    githubRetries: cliOptions.githubRetries ?? resolver.githubRetries ?? DEFAULT_OPTIONS2.githubRetries,
+    githubRetryBaseMs: cliOptions.githubRetryBaseMs ?? resolver.githubRetryBaseMs ?? DEFAULT_OPTIONS2.githubRetryBaseMs,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS2.maxFileBytes,
+    maxAuxFiles: cliOptions.maxAuxFiles ?? resolver.maxAuxFiles ?? DEFAULT_OPTIONS2.maxAuxFiles,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS2.maxTotalFiles
+  };
+}
+function enforceOptionPolicy2(options, config) {
+  const policy = config.policy;
+  if (!policy) {
+    return;
+  }
+  if (options.force && policy.allowForce === false) {
+    throw new GuardSkillsError(
+      "POLICY_VIOLATION",
+      "Policy blocks --force overrides (allowForce=false)."
+    );
+  }
+  if (options.allowUnverifiable && policy.allowUnverifiableOverride === false) {
+    throw new GuardSkillsError(
+      "POLICY_VIOLATION",
+      "Policy blocks --allow-unverifiable overrides (allowUnverifiableOverride=false)."
+    );
+  }
+}
+function findSkillDirs(rootDir) {
+  const found = /* @__PURE__ */ new Set();
+  const stack = [{ dir: rootDir, depth: 0 }];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (!current) {
+      continue;
+    }
+    const skillFile = import_node_path4.default.join(current.dir, "SKILL.md");
+    if (import_node_fs2.default.existsSync(skillFile) && import_node_fs2.default.statSync(skillFile).isFile()) {
+      found.add(current.dir);
+      continue;
+    }
+    if (current.depth >= 8) {
+      continue;
+    }
+    let entries;
+    try {
+      entries = import_node_fs2.default.readdirSync(current.dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      if (SKIP_DIRS.has(entry.name)) {
+        continue;
+      }
+      stack.push({ dir: import_node_path4.default.join(current.dir, entry.name), depth: current.depth + 1 });
+    }
+  }
+  return [...found].sort();
+}
+function collectLocalFiles(skillDir, options) {
+  const files = [];
+  const unverifiableReasons = [];
+  const stack = [skillDir];
+  while (stack.length > 0) {
+    const currentDir = stack.pop();
+    if (!currentDir) {
+      continue;
+    }
+    let entries;
+    try {
+      entries = import_node_fs2.default.readdirSync(currentDir, { withFileTypes: true });
+    } catch {
+      unverifiableReasons.push(`Cannot read directory: ${currentDir}`);
+      continue;
+    }
+    for (const entry of entries) {
+      const fullPath = import_node_path4.default.join(currentDir, entry.name);
+      if (entry.isDirectory()) {
+        if (!SKIP_DIRS.has(entry.name)) {
+          stack.push(fullPath);
+        }
+        continue;
+      }
+      if (!entry.isFile()) {
+        continue;
+      }
+      const relativePath = import_node_path4.default.relative(skillDir, fullPath).replace(/\\/g, "/");
+      const ext = import_node_path4.default.extname(relativePath).toLowerCase();
+      const isSkillFile2 = import_node_path4.default.basename(relativePath).toLowerCase() === "skill.md";
+      if (!isSkillFile2 && !ALLOWED_TEXT_EXTENSIONS2.has(ext)) {
+        continue;
+      }
+      if (files.length >= options.maxTotalFiles) {
+        unverifiableReasons.push(
+          `Reached maxTotalFiles=${options.maxTotalFiles}. Remaining files were not scanned.`
+        );
+        return { files, unverifiableReasons };
+      }
+      let sizeBytes = 0;
+      try {
+        sizeBytes = import_node_fs2.default.statSync(fullPath).size;
+      } catch {
+        unverifiableReasons.push(`Cannot stat file: ${relativePath}`);
+        continue;
+      }
+      if (sizeBytes > options.maxFileBytes) {
+        unverifiableReasons.push(
+          `Skipped oversized file (${sizeBytes} bytes > ${options.maxFileBytes}): ${relativePath}`
+        );
+        continue;
+      }
+      try {
+        files.push({
+          path: relativePath,
+          content: import_node_fs2.default.readFileSync(fullPath, "utf8")
+        });
+      } catch {
+        unverifiableReasons.push(`Cannot read text content: ${relativePath}`);
+      }
+    }
+  }
+  return { files, unverifiableReasons };
+}
+function resolveSource(source) {
+  const maybePath = import_node_path4.default.resolve(source);
+  if (import_node_fs2.default.existsSync(maybePath)) {
+    return { kind: "local", path: maybePath };
+  }
+  const shorthand = source.match(/^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/);
+  if (shorthand) {
+    return { kind: "git", cloneUrl: `https://github.com/${shorthand[1]}/${shorthand[2]}.git` };
+  }
+  try {
+    const parsed = new URL(source);
+    if (parsed.hostname === "github.com" || parsed.hostname === "www.github.com") {
+      return { kind: "git", cloneUrl: source.endsWith(".git") ? source : `${source}.git` };
+    }
+  } catch {
+  }
+  return { kind: "git", cloneUrl: source };
+}
+function aggregateLevel(levels) {
+  if (levels.includes("UNVERIFIABLE")) {
+    return "UNVERIFIABLE";
+  }
+  if (levels.includes("CRITICAL")) {
+    return "CRITICAL";
+  }
+  if (levels.includes("UNSAFE")) {
+    return "UNSAFE";
+  }
+  if (levels.includes("WARNING")) {
+    return "WARNING";
+  }
+  return "SAFE";
+}
+async function runInteractiveInstallCommand(provider, source, skillName, rawOptions) {
+  if (provider !== "openskills" && provider !== "skills" && provider !== "skillkit") {
+    throw new GuardSkillsError(
+      "INVALID_OPTIONS",
+      `Interactive install flow is not supported for provider '${provider}'.`
+    );
+  }
+  const cliOptions = cliOpenSkillsOptionsSchema.parse(rawOptions);
+  const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
+  const options = resolveEffectiveOptions(cliOptions, loadedConfig.config);
+  enforceSourcePolicy(source, loadedConfig.config.policy);
+  enforceOptionPolicy2(options, loadedConfig.config);
+  const resolvedSource = resolveSource(source);
+  const tempDir = resolvedSource.kind === "git" ? import_node_fs2.default.mkdtempSync(import_node_path4.default.join(import_node_os.default.tmpdir(), `guardskills-${provider}-`)) : null;
+  const scanRoot = resolvedSource.kind === "git" ? tempDir ?? "" : resolvedSource.path;
+  try {
+    if (resolvedSource.kind === "git") {
+      try {
+        await (0, import_execa2.execa)("git", ["clone", "--depth", "1", resolvedSource.cloneUrl, scanRoot], {
+          timeout: options.githubTimeoutMs
+        });
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new GuardSkillsError(
+          "GITHUB_UNKNOWN",
+          `Failed to clone source '${source}' for ${provider} scan: ${message}`,
+          { cause: error }
+        );
+      }
+    }
+    const discovered = findSkillDirs(scanRoot);
+    if (discovered.length === 0) {
+      throw new GuardSkillsError("SKILL_NOT_FOUND", "No SKILL.md files were found in the source.");
+    }
+    const selectedDirs = skillName ? discovered.filter((dir) => import_node_path4.default.basename(dir).toLowerCase() === skillName.toLowerCase()) : discovered;
+    if (selectedDirs.length === 0) {
+      throw new GuardSkillsError(
+        "SKILL_NOT_FOUND",
+        `Skill '${skillName}' was not found. Available: ${discovered.map((dir) => import_node_path4.default.basename(dir)).join(", ")}`
+      );
+    }
+    const levels = [];
+    const summaries = [];
+    for (const skillDir of selectedDirs) {
+      const skill = import_node_path4.default.basename(skillDir);
+      const { files, unverifiableReasons } = collectLocalFiles(skillDir, options);
+      const resolvedSkill = {
+        source: `local:${skillDir}`,
+        owner: "local",
+        repo: "local",
+        defaultBranch: "local",
+        commitSha: "local",
+        skillName: skill,
+        skillDir: skillDir.replace(/\\/g, "/"),
+        skillFilePath: "SKILL.md",
+        files,
+        unverifiableReasons
+      };
+      const scan = scanResolvedSkill(resolvedSkill);
+      const decision = calculateRiskScore(scan.findings, {
+        strict: options.strict,
+        trustCredits: 0,
+        hasUnverifiableContent: scan.hasUnverifiableContent
+      });
+      levels.push(decision.level);
+      summaries.push({ skill, level: decision.level, riskScore: decision.riskScore });
+    }
+    const overall = aggregateLevel(levels);
+    const gate = evaluateGate(overall, { ...options, skill: skillName ?? "ALL_SKILLS" });
+    const label = provider === "openskills" ? "OpenSkills" : provider === "skillkit" ? "skillkit" : "skills.sh";
+    const note = `${gate.gateNote} ${label} flow: ${skillName ? "single skill" : "interactive skill selection"}.`;
+    if (options.json) {
+      console.log(
+        JSON.stringify(
+          {
+            command: `guardskills ${provider} ${provider === "skills" ? "add" : "install"}`,
+            source,
+            skill: skillName ?? null,
+            scannedSkills: summaries.length,
+            overallLevel: overall,
+            skills: summaries,
+            note
+          },
+          null,
+          2
+        )
+      );
+    } else {
+      console.log(`Command: guardskills ${provider} ${provider === "skills" ? "add" : "install"}`);
+      console.log(`Source: ${source}`);
+      console.log(`Selection: ${skillName ?? "interactive (all scanned)"}`);
+      console.log(`Scanned Skills: ${summaries.length}`);
+      console.log(`Decision: ${overall}`);
+      console.log("Per-skill results:");
+      for (const summary of summaries) {
+        const score = summary.riskScore === null ? "n/a" : summary.riskScore.toFixed(1);
+        console.log(`- ${summary.skill}: ${summary.level} (risk ${score})`);
+      }
+      console.log(`Note: ${note}`);
+    }
+    if (!gate.canInstall) {
+      return gate.exitCode;
+    }
+    if (options.dryRun || options.ci) {
+      return 0;
+    }
+    return runProviderInstall(provider, source, skillName);
+  } finally {
+    if (tempDir) {
+      import_node_fs2.default.rmSync(tempDir, { recursive: true, force: true });
+    }
+  }
+}
+
+// src/commands/scan-clawhub.ts
+var import_zod4 = require("zod");
 
 // src/resolver/clawhub.ts
-var import_node_path4 = __toESM(require("path"), 1);
+var import_node_path5 = __toESM(require("path"), 1);
 var import_jszip = __toESM(require("jszip"), 1);
 var DEFAULT_REGISTRY_BASE_URL = "https://clawhub.ai";
 var DEFAULT_ARCHIVE_BASE_URL = "https://auth.clawdhub.com";
@@ -1249,7 +1610,7 @@ var DEFAULT_REQUEST_TIMEOUT_MS2 = 15e3;
 var DEFAULT_MAX_FILE_SIZE_BYTES = 25e4;
 var DEFAULT_MAX_TOTAL_FILES = 120;
 var RETRYABLE_STATUS2 = /* @__PURE__ */ new Set([429, 500, 502, 503, 504]);
-var ALLOWED_TEXT_EXTENSIONS2 = /* @__PURE__ */ new Set([
+var ALLOWED_TEXT_EXTENSIONS3 = /* @__PURE__ */ new Set([
   ".md",
   ".txt",
   ".sh",
@@ -1491,8 +1852,8 @@ function isLikelyTextFile2(filePath) {
   if (lower.endsWith("/skill.md") || lower === "skill.md") {
     return true;
   }
-  const ext = import_node_path4.default.posix.extname(lower);
-  return ALLOWED_TEXT_EXTENSIONS2.has(ext);
+  const ext = import_node_path5.default.posix.extname(lower);
+  return ALLOWED_TEXT_EXTENSIONS3.has(ext);
 }
 function isBinaryContent2(content) {
   return content.includes("\0");
@@ -1635,7 +1996,7 @@ async function resolveSkillFromArchive(metadata, identifier, options) {
     defaultBranch: "archive",
     commitSha: archiveMeta.version ?? "archive",
     skillName: options.skillNameOverride ?? archiveMeta.slug,
-    skillDir: import_node_path4.default.posix.dirname(skillFilePath),
+    skillDir: import_node_path5.default.posix.dirname(skillFilePath),
     skillFilePath,
     files,
     unverifiableReasons: [...unverifiableReasons],
@@ -1783,34 +2144,34 @@ async function resolveSkillFromClawHub(identifier, options = {}) {
 }
 
 // src/commands/scan-clawhub.ts
-var cliScanClawHubOptionsSchema = import_zod3.z.object({
-  config: import_zod3.z.string().optional(),
-  strict: import_zod3.z.boolean().optional(),
-  json: import_zod3.z.boolean().optional(),
-  skill: import_zod3.z.string().min(1).optional(),
-  version: import_zod3.z.string().min(1).optional(),
-  clawhubRegistry: import_zod3.z.string().min(1).optional(),
-  githubTimeoutMs: import_zod3.z.coerce.number().int().min(1e3).max(12e4).optional(),
-  githubRetries: import_zod3.z.coerce.number().int().min(0).max(6).optional(),
-  githubRetryBaseMs: import_zod3.z.coerce.number().int().min(50).max(5e3).optional(),
-  maxFileBytes: import_zod3.z.coerce.number().int().min(4096).max(5e6).optional(),
-  maxAuxFiles: import_zod3.z.coerce.number().int().min(1).max(200).optional(),
-  maxTotalFiles: import_zod3.z.coerce.number().int().min(1).max(400).optional()
+var cliScanClawHubOptionsSchema = import_zod4.z.object({
+  config: import_zod4.z.string().optional(),
+  strict: import_zod4.z.boolean().optional(),
+  json: import_zod4.z.boolean().optional(),
+  skill: import_zod4.z.string().min(1).optional(),
+  version: import_zod4.z.string().min(1).optional(),
+  clawhubRegistry: import_zod4.z.string().min(1).optional(),
+  githubTimeoutMs: import_zod4.z.coerce.number().int().min(1e3).max(12e4).optional(),
+  githubRetries: import_zod4.z.coerce.number().int().min(0).max(6).optional(),
+  githubRetryBaseMs: import_zod4.z.coerce.number().int().min(50).max(5e3).optional(),
+  maxFileBytes: import_zod4.z.coerce.number().int().min(4096).max(5e6).optional(),
+  maxAuxFiles: import_zod4.z.coerce.number().int().min(1).max(200).optional(),
+  maxTotalFiles: import_zod4.z.coerce.number().int().min(1).max(400).optional()
 });
-var effectiveScanClawHubOptionsSchema = import_zod3.z.object({
-  strict: import_zod3.z.boolean(),
-  json: import_zod3.z.boolean(),
-  skill: import_zod3.z.string().min(1).optional(),
-  version: import_zod3.z.string().min(1).optional(),
-  clawhubRegistry: import_zod3.z.string().min(1),
-  githubTimeoutMs: import_zod3.z.number().int().min(1e3).max(12e4),
-  githubRetries: import_zod3.z.number().int().min(0).max(6),
-  githubRetryBaseMs: import_zod3.z.number().int().min(50).max(5e3),
-  maxFileBytes: import_zod3.z.number().int().min(4096).max(5e6),
-  maxAuxFiles: import_zod3.z.number().int().min(1).max(200),
-  maxTotalFiles: import_zod3.z.number().int().min(1).max(400)
+var effectiveScanClawHubOptionsSchema = import_zod4.z.object({
+  strict: import_zod4.z.boolean(),
+  json: import_zod4.z.boolean(),
+  skill: import_zod4.z.string().min(1).optional(),
+  version: import_zod4.z.string().min(1).optional(),
+  clawhubRegistry: import_zod4.z.string().min(1),
+  githubTimeoutMs: import_zod4.z.number().int().min(1e3).max(12e4),
+  githubRetries: import_zod4.z.number().int().min(0).max(6),
+  githubRetryBaseMs: import_zod4.z.number().int().min(50).max(5e3),
+  maxFileBytes: import_zod4.z.number().int().min(4096).max(5e6),
+  maxAuxFiles: import_zod4.z.number().int().min(1).max(200),
+  maxTotalFiles: import_zod4.z.number().int().min(1).max(400)
 });
-var DEFAULT_OPTIONS2 = {
+var DEFAULT_OPTIONS3 = {
   strict: false,
   json: false,
   skill: void 0,
@@ -1858,17 +2219,17 @@ function resolveEffectiveScanClawHubOptions(cliOptions, config) {
   const defaults = config.defaults ?? {};
   const resolver = config.resolver ?? {};
   return effectiveScanClawHubOptionsSchema.parse({
-    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS2.strict,
-    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS2.json,
-    skill: cliOptions.skill ?? DEFAULT_OPTIONS2.skill,
-    version: cliOptions.version ?? DEFAULT_OPTIONS2.version,
-    clawhubRegistry: cliOptions.clawhubRegistry ?? DEFAULT_OPTIONS2.clawhubRegistry,
-    githubTimeoutMs: cliOptions.githubTimeoutMs ?? resolver.githubTimeoutMs ?? DEFAULT_OPTIONS2.githubTimeoutMs,
-    githubRetries: cliOptions.githubRetries ?? resolver.githubRetries ?? DEFAULT_OPTIONS2.githubRetries,
-    githubRetryBaseMs: cliOptions.githubRetryBaseMs ?? resolver.githubRetryBaseMs ?? DEFAULT_OPTIONS2.githubRetryBaseMs,
-    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS2.maxFileBytes,
-    maxAuxFiles: cliOptions.maxAuxFiles ?? resolver.maxAuxFiles ?? DEFAULT_OPTIONS2.maxAuxFiles,
-    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS2.maxTotalFiles
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS3.strict,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS3.json,
+    skill: cliOptions.skill ?? DEFAULT_OPTIONS3.skill,
+    version: cliOptions.version ?? DEFAULT_OPTIONS3.version,
+    clawhubRegistry: cliOptions.clawhubRegistry ?? DEFAULT_OPTIONS3.clawhubRegistry,
+    githubTimeoutMs: cliOptions.githubTimeoutMs ?? resolver.githubTimeoutMs ?? DEFAULT_OPTIONS3.githubTimeoutMs,
+    githubRetries: cliOptions.githubRetries ?? resolver.githubRetries ?? DEFAULT_OPTIONS3.githubRetries,
+    githubRetryBaseMs: cliOptions.githubRetryBaseMs ?? resolver.githubRetryBaseMs ?? DEFAULT_OPTIONS3.githubRetryBaseMs,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS3.maxFileBytes,
+    maxAuxFiles: cliOptions.maxAuxFiles ?? resolver.maxAuxFiles ?? DEFAULT_OPTIONS3.maxAuxFiles,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS3.maxTotalFiles
   });
 }
 async function runScanClawHubCommand(identifier, rawOptions) {
@@ -1930,10 +2291,10 @@ async function runScanClawHubCommand(identifier, rawOptions) {
 }
 
 // src/commands/scan-local.ts
-var import_node_fs2 = __toESM(require("fs"), 1);
-var import_node_path5 = __toESM(require("path"), 1);
-var import_zod4 = require("zod");
-var ALLOWED_TEXT_EXTENSIONS3 = /* @__PURE__ */ new Set([
+var import_node_fs3 = __toESM(require("fs"), 1);
+var import_node_path6 = __toESM(require("path"), 1);
+var import_zod5 = require("zod");
+var ALLOWED_TEXT_EXTENSIONS4 = /* @__PURE__ */ new Set([
   ".md",
   ".txt",
   ".sh",
@@ -1952,23 +2313,23 @@ var ALLOWED_TEXT_EXTENSIONS3 = /* @__PURE__ */ new Set([
   ".ini",
   ".cfg"
 ]);
-var SKIP_DIRS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".turbo"]);
-var cliScanLocalOptionsSchema = import_zod4.z.object({
-  config: import_zod4.z.string().optional(),
-  strict: import_zod4.z.boolean().optional(),
-  json: import_zod4.z.boolean().optional(),
-  skill: import_zod4.z.string().min(1).optional(),
-  maxFileBytes: import_zod4.z.coerce.number().int().min(4096).max(5e6).optional(),
-  maxTotalFiles: import_zod4.z.coerce.number().int().min(1).max(400).optional()
+var SKIP_DIRS2 = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", ".next", ".turbo"]);
+var cliScanLocalOptionsSchema = import_zod5.z.object({
+  config: import_zod5.z.string().optional(),
+  strict: import_zod5.z.boolean().optional(),
+  json: import_zod5.z.boolean().optional(),
+  skill: import_zod5.z.string().min(1).optional(),
+  maxFileBytes: import_zod5.z.coerce.number().int().min(4096).max(5e6).optional(),
+  maxTotalFiles: import_zod5.z.coerce.number().int().min(1).max(400).optional()
 });
-var effectiveScanLocalOptionsSchema = import_zod4.z.object({
-  strict: import_zod4.z.boolean(),
-  json: import_zod4.z.boolean(),
-  skill: import_zod4.z.string().min(1).optional(),
-  maxFileBytes: import_zod4.z.number().int().min(4096).max(5e6),
-  maxTotalFiles: import_zod4.z.number().int().min(1).max(400)
+var effectiveScanLocalOptionsSchema = import_zod5.z.object({
+  strict: import_zod5.z.boolean(),
+  json: import_zod5.z.boolean(),
+  skill: import_zod5.z.string().min(1).optional(),
+  maxFileBytes: import_zod5.z.number().int().min(4096).max(5e6),
+  maxTotalFiles: import_zod5.z.number().int().min(1).max(400)
 });
-var DEFAULT_OPTIONS3 = {
+var DEFAULT_OPTIONS4 = {
   strict: false,
   json: false,
   skill: void 0,
@@ -1979,30 +2340,30 @@ function toPosixPath(filePath) {
   return filePath.replace(/\\/g, "/");
 }
 function getNearbyPathSuggestions(targetPath) {
-  const parent = import_node_path5.default.dirname(targetPath);
-  if (!import_node_fs2.default.existsSync(parent)) {
+  const parent = import_node_path6.default.dirname(targetPath);
+  if (!import_node_fs3.default.existsSync(parent)) {
     return [];
   }
-  const needle = import_node_path5.default.basename(targetPath).toLowerCase();
+  const needle = import_node_path6.default.basename(targetPath).toLowerCase();
   const suggestions = [];
-  for (const entry of import_node_fs2.default.readdirSync(parent, { withFileTypes: true })) {
+  for (const entry of import_node_fs3.default.readdirSync(parent, { withFileTypes: true })) {
     if (entry.name.toLowerCase().includes(needle)) {
-      suggestions.push(import_node_path5.default.join(parent, entry.name));
+      suggestions.push(import_node_path6.default.join(parent, entry.name));
     }
   }
   return suggestions.slice(0, 5);
 }
 function isSkillFile(filePath) {
-  return import_node_path5.default.basename(filePath).toLowerCase() === "skill.md";
+  return import_node_path6.default.basename(filePath).toLowerCase() === "skill.md";
 }
 function isScannableTextFile(filePath) {
   if (isSkillFile(filePath)) {
     return true;
   }
-  const ext = import_node_path5.default.extname(filePath).toLowerCase();
-  return ALLOWED_TEXT_EXTENSIONS3.has(ext);
+  const ext = import_node_path6.default.extname(filePath).toLowerCase();
+  return ALLOWED_TEXT_EXTENSIONS4.has(ext);
 }
-function findSkillDirs(rootDir) {
+function findSkillDirs2(rootDir) {
   const found = /* @__PURE__ */ new Set();
   const stack = [{ dir: rootDir, depth: 0 }];
   let seen = 0;
@@ -2015,8 +2376,8 @@ function findSkillDirs(rootDir) {
     if (seen > 5e3) {
       break;
     }
-    const skillFile = import_node_path5.default.join(current.dir, "SKILL.md");
-    if (import_node_fs2.default.existsSync(skillFile) && import_node_fs2.default.statSync(skillFile).isFile()) {
+    const skillFile = import_node_path6.default.join(current.dir, "SKILL.md");
+    if (import_node_fs3.default.existsSync(skillFile) && import_node_fs3.default.statSync(skillFile).isFile()) {
       found.add(current.dir);
       continue;
     }
@@ -2025,7 +2386,7 @@ function findSkillDirs(rootDir) {
     }
     let entries;
     try {
-      entries = import_node_fs2.default.readdirSync(current.dir, { withFileTypes: true });
+      entries = import_node_fs3.default.readdirSync(current.dir, { withFileTypes: true });
     } catch {
       continue;
     }
@@ -2033,10 +2394,10 @@ function findSkillDirs(rootDir) {
       if (!entry.isDirectory()) {
         continue;
       }
-      if (SKIP_DIRS.has(entry.name)) {
+      if (SKIP_DIRS2.has(entry.name)) {
         continue;
       }
-      stack.push({ dir: import_node_path5.default.join(current.dir, entry.name), depth: current.depth + 1 });
+      stack.push({ dir: import_node_path6.default.join(current.dir, entry.name), depth: current.depth + 1 });
     }
   }
   return [...found].sort();
@@ -2045,8 +2406,8 @@ function formatCandidates(candidates) {
   return candidates.map((candidate) => `- ${toPosixPath(candidate)}`).join("\n");
 }
 function resolveSkillDirectory(inputPath, preferredSkillName) {
-  const absoluteInput = import_node_path5.default.resolve(inputPath);
-  if (!import_node_fs2.default.existsSync(absoluteInput)) {
+  const absoluteInput = import_node_path6.default.resolve(inputPath);
+  if (!import_node_fs3.default.existsSync(absoluteInput)) {
     const suggestions = getNearbyPathSuggestions(absoluteInput);
     const suggestionText = suggestions.length > 0 ? `
 Nearby paths:
@@ -2056,7 +2417,7 @@ ${formatCandidates(suggestions)}` : "";
       `Local path not found: ${toPosixPath(absoluteInput)}${suggestionText}`
     );
   }
-  const stat = import_node_fs2.default.statSync(absoluteInput);
+  const stat = import_node_fs3.default.statSync(absoluteInput);
   if (stat.isFile()) {
     if (!isSkillFile(absoluteInput)) {
       throw new GuardSkillsError(
@@ -2065,15 +2426,15 @@ ${formatCandidates(suggestions)}` : "";
       );
     }
     return {
-      skillDir: import_node_path5.default.dirname(absoluteInput),
+      skillDir: import_node_path6.default.dirname(absoluteInput),
       note: "Using parent directory of provided SKILL.md file."
     };
   }
-  const directSkillFile = import_node_path5.default.join(absoluteInput, "SKILL.md");
-  if (import_node_fs2.default.existsSync(directSkillFile) && import_node_fs2.default.statSync(directSkillFile).isFile()) {
+  const directSkillFile = import_node_path6.default.join(absoluteInput, "SKILL.md");
+  if (import_node_fs3.default.existsSync(directSkillFile) && import_node_fs3.default.statSync(directSkillFile).isFile()) {
     return { skillDir: absoluteInput };
   }
-  const discovered = findSkillDirs(absoluteInput);
+  const discovered = findSkillDirs2(absoluteInput);
   if (discovered.length === 0) {
     throw new GuardSkillsError(
       "INVALID_LOCAL_PATH",
@@ -2082,7 +2443,7 @@ ${formatCandidates(suggestions)}` : "";
   }
   if (preferredSkillName) {
     const matches = discovered.filter(
-      (directory) => import_node_path5.default.basename(directory).toLowerCase() === preferredSkillName.toLowerCase()
+      (directory) => import_node_path6.default.basename(directory).toLowerCase() === preferredSkillName.toLowerCase()
     );
     if (matches.length === 1) {
       const selected = matches[0];
@@ -2094,7 +2455,7 @@ ${formatCandidates(suggestions)}` : "";
         note: `Auto-selected skill '${preferredSkillName}' under the provided path.`
       };
     }
-    const available = discovered.map((directory) => import_node_path5.default.basename(directory));
+    const available = discovered.map((directory) => import_node_path6.default.basename(directory));
     throw new GuardSkillsError(
       "INVALID_LOCAL_PATH",
       `Requested --skill '${preferredSkillName}' was not found.
@@ -2117,7 +2478,7 @@ Available skills: ${available.join(", ")}`
 ${formatCandidates(discovered)}`
   );
 }
-function collectLocalFiles(skillDir, options) {
+function collectLocalFiles2(skillDir, options) {
   const files = [];
   const unverifiableReasons = [];
   const stack = [skillDir];
@@ -2128,15 +2489,15 @@ function collectLocalFiles(skillDir, options) {
     }
     let entries;
     try {
-      entries = import_node_fs2.default.readdirSync(currentDir, { withFileTypes: true });
+      entries = import_node_fs3.default.readdirSync(currentDir, { withFileTypes: true });
     } catch {
       unverifiableReasons.push(`Cannot read directory: ${toPosixPath(currentDir)}`);
       continue;
     }
     for (const entry of entries) {
-      const fullPath = import_node_path5.default.join(currentDir, entry.name);
+      const fullPath = import_node_path6.default.join(currentDir, entry.name);
       if (entry.isDirectory()) {
-        if (!SKIP_DIRS.has(entry.name)) {
+        if (!SKIP_DIRS2.has(entry.name)) {
           stack.push(fullPath);
         }
         continue;
@@ -2144,7 +2505,7 @@ function collectLocalFiles(skillDir, options) {
       if (!entry.isFile()) {
         continue;
       }
-      const relativePath = toPosixPath(import_node_path5.default.relative(skillDir, fullPath));
+      const relativePath = toPosixPath(import_node_path6.default.relative(skillDir, fullPath));
       if (!isScannableTextFile(relativePath)) {
         continue;
       }
@@ -2156,7 +2517,7 @@ function collectLocalFiles(skillDir, options) {
       }
       let sizeBytes = 0;
       try {
-        sizeBytes = import_node_fs2.default.statSync(fullPath).size;
+        sizeBytes = import_node_fs3.default.statSync(fullPath).size;
       } catch {
         unverifiableReasons.push(`Cannot stat file: ${relativePath}`);
         continue;
@@ -2170,7 +2531,7 @@ function collectLocalFiles(skillDir, options) {
       try {
         files.push({
           path: relativePath,
-          content: import_node_fs2.default.readFileSync(fullPath, "utf8")
+          content: import_node_fs3.default.readFileSync(fullPath, "utf8")
         });
       } catch {
         unverifiableReasons.push(`Cannot read text content: ${relativePath}`);
@@ -2183,11 +2544,11 @@ function resolveEffectiveScanLocalOptions(cliOptions, config) {
   const defaults = config.defaults ?? {};
   const resolver = config.resolver ?? {};
   return effectiveScanLocalOptionsSchema.parse({
-    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS3.strict,
-    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS3.json,
-    skill: cliOptions.skill ?? DEFAULT_OPTIONS3.skill,
-    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS3.maxFileBytes,
-    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS3.maxTotalFiles
+    strict: cliOptions.strict ?? defaults.strict ?? DEFAULT_OPTIONS4.strict,
+    json: cliOptions.json ?? defaults.json ?? DEFAULT_OPTIONS4.json,
+    skill: cliOptions.skill ?? DEFAULT_OPTIONS4.skill,
+    maxFileBytes: cliOptions.maxFileBytes ?? resolver.maxFileBytes ?? DEFAULT_OPTIONS4.maxFileBytes,
+    maxTotalFiles: cliOptions.maxTotalFiles ?? resolver.maxTotalFiles ?? DEFAULT_OPTIONS4.maxTotalFiles
   });
 }
 async function runScanLocalCommand(inputPath, rawOptions) {
@@ -2195,7 +2556,7 @@ async function runScanLocalCommand(inputPath, rawOptions) {
   const loadedConfig = loadGuardSkillsConfig(cliOptions.config);
   const options = resolveEffectiveScanLocalOptions(cliOptions, loadedConfig.config);
   const target = resolveSkillDirectory(inputPath, options.skill);
-  const { files, unverifiableReasons } = collectLocalFiles(target.skillDir, options);
+  const { files, unverifiableReasons } = collectLocalFiles2(target.skillDir, options);
   if (files.length === 0) {
     throw new GuardSkillsError(
       "INVALID_LOCAL_PATH",
@@ -2208,7 +2569,7 @@ async function runScanLocalCommand(inputPath, rawOptions) {
     repo: "local",
     defaultBranch: "local",
     commitSha: "local",
-    skillName: options.skill ?? import_node_path5.default.basename(target.skillDir),
+    skillName: options.skill ?? import_node_path6.default.basename(target.skillDir),
     skillDir: toPosixPath(target.skillDir),
     skillFilePath: "SKILL.md",
     files,
@@ -2250,15 +2611,69 @@ async function runScanLocalCommand(inputPath, rawOptions) {
 }
 
 // src/cli.ts
+function withCommonAddOptions(command, requireSkill) {
+  const configured = command.option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--ci", "Deterministic CI mode: scan + gate only, no install handoff").option("--json", "Output machine-readable JSON").option("--yes", "Auto-confirm warnings").option("--dry-run", "Scan only, do not install").option("--force", "Override UNSAFE outcome").option("--allow-unverifiable", "Override UNVERIFIABLE outcome").option("--github-timeout-ms <ms>", "GitHub API request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable GitHub errors").option("--github-retry-base-ms <ms>", "Base backoff delay for GitHub retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan");
+  return requireSkill ? configured.requiredOption("--skill <name>", "Skill name to install") : configured.option("--skill <name>", "Skill name to install");
+}
 async function main() {
   const program = new import_commander.Command();
-  program.name("guardskills").description("Security wrapper around skills add").version("1.1.0");
-  program.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo").requiredOption("--skill <name>", "Skill name to install").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--ci", "Deterministic CI mode: scan + gate only, no install handoff").option("--json", "Output machine-readable JSON").option("--yes", "Auto-confirm warnings").option("--dry-run", "Scan only, do not install").option("--force", "Override UNSAFE outcome").option("--allow-unverifiable", "Override UNVERIFIABLE outcome").option("--github-timeout-ms <ms>", "GitHub API request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable GitHub errors").option("--github-retry-base-ms <ms>", "Base backoff delay for GitHub retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan").action(async (repo, options) => {
-    const code = await runAddCommand(repo, options);
+  program.name("guardskills").description("Security wrapper around skill installation CLIs").version("1.1.0");
+  const legacyAdd = program.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo");
+  withCommonAddOptions(legacyAdd, true).action(
+    async (repo, options) => {
+      const code = await runAddCommand(repo, options);
+      process.exitCode = code;
+    }
+  );
+  const skills = program.command("skills").description("Guarded wrapper for skills.sh install commands");
+  withCommonAddOptions(
+    skills.command("add").description("Scan a skill source and conditionally install it via skills CLI").argument("<repo>", "GitHub repository URL or owner/repo"),
+    false
+  ).action(async (repo, options) => {
+    const resolvedSkill = typeof options.skill === "string" ? options.skill : void 0;
+    const code = resolvedSkill ? await runAddCommand(repo, options, {
+      provider: "skills",
+      commandName: "guardskills skills add"
+    }) : await runInteractiveInstallCommand("skills", repo, void 0, options);
+    process.exitCode = code;
+  });
+  const playbooks = program.command("playbooks").description("Guarded wrapper for Playbooks install commands");
+  withCommonAddOptions(
+    playbooks.command("add").description("Scan a skill source and conditionally install it via Playbooks CLI").argument("<resource>", "Playbooks resource type (must be 'skill')").argument("<repo>", "GitHub repository URL or owner/repo"),
+    true
+  ).action(async (resource, repo, options) => {
+    if (resource !== "skill") {
+      throw new GuardSkillsError(
+        "INVALID_OPTIONS",
+        `Unsupported playbooks resource '${resource}'. Use: guardskills playbooks add skill <repo> --skill <name>`
+      );
+    }
+    const code = await runAddCommand(repo, options, {
+      provider: "playbooks",
+      commandName: "guardskills playbooks add skill"
+    });
+    process.exitCode = code;
+  });
+  const openskills = program.command("openskills").description("Guarded wrapper for OpenSkills install commands");
+  withCommonAddOptions(
+    openskills.command("install").description("Scan a skill source and conditionally install it via OpenSkills CLI").argument("<repo>", "GitHub repository URL or owner/repo").argument("[skill]", "Skill name to install"),
+    false
+  ).action(async (repo, skill, options) => {
+    const resolvedSkill = skill ?? (typeof options.skill === "string" ? options.skill : void 0);
+    const code = await runInteractiveInstallCommand("openskills", repo, resolvedSkill, options);
+    process.exitCode = code;
+  });
+  const skillkit = program.command("skillkit").description("Guarded wrapper for skillkit install commands");
+  withCommonAddOptions(
+    skillkit.command("install").description("Scan a skill source and conditionally install it via skillkit CLI").argument("<repo>", "GitHub repository URL or owner/repo").argument("[skill]", "Skill name to install"),
+    false
+  ).action(async (repo, skill, options) => {
+    const resolvedSkill = skill ?? (typeof options.skill === "string" ? options.skill : void 0);
+    const code = await runInteractiveInstallCommand("skillkit", repo, resolvedSkill, options);
     process.exitCode = code;
   });
-  program.command("scan-local").description("Scan a local skill folder and print a risk decision").argument("<path>", "Local folder path (or SKILL.md file path)").option("--skill <name>", "Skill directory name when path contains multiple skills").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-total-files <count>", "Max total files to scan").action(async (inputPath, options) => {
-    const code = await runScanLocalCommand(inputPath, options);
+  program.command("scan-local").description("Scan a local skill folder and print a risk decision").argument("<path>", "Local folder path (or SKILL.md file path)").option("--skill <name>", "Skill directory name when path contains multiple skills").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-total-files <count>", "Max total files to scan").action(async (repo, options) => {
+    const code = await runScanLocalCommand(repo, options);
     process.exitCode = code;
   });
   program.command("scan-clawhub").description("Scan a ClawHub skill package and print a risk decision").argument("<identifier>", "ClawHub package identifier").option("--skill <name>", "Override skill folder name to resolve in source repository").option("--version <version>", "Preferred package version/tag").option("--clawhub-registry <url>", "ClawHub registry base URL").option("--config <path>", "Path to guardskills.config.json").option("--strict", "Use stricter risk thresholds").option("--json", "Output machine-readable JSON").option("--github-timeout-ms <ms>", "Upstream resolver request timeout in milliseconds").option("--github-retries <count>", "Retry count for retryable upstream errors").option("--github-retry-base-ms <ms>", "Base backoff delay for upstream retries").option("--max-file-bytes <bytes>", "Max file size to scan").option("--max-aux-files <count>", "Max auxiliary files from scripts/src folders").option("--max-total-files <count>", "Max total resolved files to scan").action(async (identifier, options) => {