happyskills 0.35.5 → 0.37.0

package/src/utils/text_diff.js

@@ -0,0 +1,247 @@
+/**
+ * Lightweight unified diff — no external dependencies.
+ *
+ * Uses the Myers diff algorithm for line-level comparison, then formats
+ * the result as a standard unified diff with configurable context lines.
+ *
+ * Designed for memory efficiency:
+ * - No intermediate copies of full file content
+ * - Hunks are built incrementally
+ * - Input strings are split once, not retained
+ */
+
+// ─── Myers diff ──────────────────────────────────────────────────────────────
+
+/**
+ * Compute the shortest edit script between two line arrays using Myers' O(ND) algorithm.
+ * Returns an array of { type: 'equal'|'delete'|'insert', old_idx?, new_idx? } operations.
+ *
+ * For files with small edit distance D, this runs in O((M+N)*D) time and O(D²) space
+ * for the trace. Skill files are typically < 1000 lines with small diffs, so this is
+ * well within acceptable bounds.
+ */
+const myers_edit_script = (old_lines, new_lines) => {
+	const N = old_lines.length
+	const M = new_lines.length
+
+	if (N === 0 && M === 0) return []
+	if (N === 0) return new_lines.map((_, j) => ({ type: 'insert', new_idx: j }))
+	if (M === 0) return old_lines.map((_, i) => ({ type: 'delete', old_idx: i }))
+
+	const MAX = N + M
+	const V = new Map([[1, 0]])
+	const trace = []
+
+	for (let d = 0; d <= MAX; d++) {
+		// Snapshot V for backtracking
+		trace.push(new Map(V))
+
+		for (let k = -d; k <= d; k += 2) {
+			let x
+			if (k === -d || (k !== d && (V.get(k - 1) ?? -1) < (V.get(k + 1) ?? -1))) {
+				x = V.get(k + 1) ?? 0 // move down (insert)
+			} else {
+				x = (V.get(k - 1) ?? 0) + 1 // move right (delete)
+			}
+			let y = x - k
+
+			// Follow diagonal (equal lines)
+			while (x < N && y < M && old_lines[x] === new_lines[y]) {
+				x++
+				y++
+			}
+
+			V.set(k, x)
+
+			if (x >= N && y >= M) {
+				return backtrack(trace, old_lines, new_lines, d)
+			}
+		}
+	}
+
+	// Should never reach here
+	return []
+}
+
+/**
+ * Backtrack through the trace to reconstruct the edit script.
+ */
+const backtrack = (trace, old_lines, new_lines, d) => {
+	const ops = []
+	let x = old_lines.length
+	let y = new_lines.length
+
+	for (let step = d; step > 0; step--) {
+		// trace[step] = V snapshot taken at the START of iteration d=step,
+		// which is V AFTER d=step-1 completed — i.e., the previous step's result
+		const v_prev = trace[step]
+		const k = x - y
+
+		let prev_k
+		if (k === -step || (k !== step && (v_prev.get(k - 1) ?? -1) < (v_prev.get(k + 1) ?? -1))) {
+			prev_k = k + 1 // came from above (insert)
+		} else {
+			prev_k = k - 1 // came from left (delete)
+		}
+
+		const prev_x = v_prev.get(prev_k) ?? 0
+		const prev_y = prev_x - prev_k
+
+		// Diagonal moves (equal lines) — collect in reverse
+		while (x > prev_x + (prev_k < k ? 1 : 0) && y > prev_y + (prev_k > k ? 1 : 0)) {
+			x--
+			y--
+			ops.push({ type: 'equal', old_idx: x, new_idx: y })
+		}
+
+		// The actual edit
+		if (prev_k < k) {
+			// Moved right → delete
+			x--
+			ops.push({ type: 'delete', old_idx: x })
+		} else {
+			// Moved down → insert
+			y--
+			ops.push({ type: 'insert', new_idx: y })
+		}
+	}
+
+	// Remaining diagonal at the start
+	while (x > 0 && y > 0) {
+		x--
+		y--
+		ops.push({ type: 'equal', old_idx: x, new_idx: y })
+	}
+
+	ops.reverse()
+	return ops
+}
+
+// ─── Hunk building ───────────────────────────────────────────────────────────
+
+/**
+ * Group edit operations into unified diff hunks with context lines.
+ */
+const build_hunks = (ops, old_lines, new_lines, context) => {
+	// Find ranges of changes (non-equal ops)
+	const change_indices = []
+	for (let i = 0; i < ops.length; i++) {
+		if (ops[i].type !== 'equal') change_indices.push(i)
+	}
+
+	if (change_indices.length === 0) return []
+
+	// Group changes that are within (2 * context) lines of each other
+	const groups = []
+	let group_start = change_indices[0]
+	let group_end = change_indices[0]
+
+	for (let i = 1; i < change_indices.length; i++) {
+		const gap = change_indices[i] - change_indices[i - 1]
+		if (gap <= context * 2 + 1) {
+			group_end = change_indices[i]
+		} else {
+			groups.push([group_start, group_end])
+			group_start = change_indices[i]
+			group_end = change_indices[i]
+		}
+	}
+	groups.push([group_start, group_end])
+
+	// Build hunks from groups
+	const hunks = []
+	for (const [start, end] of groups) {
+		const hunk_start = Math.max(0, start - context)
+		const hunk_end = Math.min(ops.length - 1, end + context)
+
+		let old_start = null
+		let new_start = null
+		let old_count = 0
+		let new_count = 0
+		const lines = []
+
+		for (let i = hunk_start; i <= hunk_end; i++) {
+			const op = ops[i]
+			if (op.type === 'equal') {
+				if (old_start === null) old_start = op.old_idx
+				if (new_start === null) new_start = op.new_idx
+				lines.push(` ${old_lines[op.old_idx]}`)
+				old_count++
+				new_count++
+			} else if (op.type === 'delete') {
+				if (old_start === null) old_start = op.old_idx
+				if (new_start === null) {
+					// Find the new_idx from the nearest equal op before this
+					new_start = find_new_start(ops, i)
+				}
+				lines.push(`-${old_lines[op.old_idx]}`)
+				old_count++
+			} else if (op.type === 'insert') {
+				if (new_start === null) new_start = op.new_idx
+				if (old_start === null) {
+					old_start = find_old_start(ops, i)
+				}
+				lines.push(`+${new_lines[op.new_idx]}`)
+				new_count++
+			}
+		}
+
+		hunks.push({
+			old_start: (old_start ?? 0) + 1, // 1-based
+			old_count,
+			new_start: (new_start ?? 0) + 1, // 1-based
+			new_count,
+			lines
+		})
+	}
+
+	return hunks
+}
+
+const find_new_start = (ops, from) => {
+	for (let i = from - 1; i >= 0; i--) {
+		if (ops[i].new_idx !== undefined) return ops[i].new_idx + 1
+	}
+	return 0
+}
+
+const find_old_start = (ops, from) => {
+	for (let i = from - 1; i >= 0; i--) {
+		if (ops[i].old_idx !== undefined) return ops[i].old_idx + 1
+	}
+	return 0
+}
+
+// ─── Public API ──────────────────────────────────────────────────────────────
+
+/**
+ * Compute a unified diff between two text strings.
+ *
+ * @param {string} old_text - Original text
+ * @param {string} new_text - Modified text
+ * @param {string} old_label - Label for original (e.g., "base/SKILL.md")
+ * @param {string} new_label - Label for modified (e.g., "local/SKILL.md")
+ * @param {number} [context=3] - Number of context lines around each change
+ * @returns {string} Unified diff string, empty if no differences
+ */
+const unified_diff = (old_text, new_text, old_label, new_label, context = 3) => {
+	if (old_text === new_text) return ''
+
+	const old_lines = old_text.split('\n')
+	const new_lines = new_text.split('\n')
+
+	const ops = myers_edit_script(old_lines, new_lines)
+	const hunks = build_hunks(ops, old_lines, new_lines, context)
+
+	if (hunks.length === 0) return ''
+
+	const header = `--- ${old_label}\n+++ ${new_label}`
+	const hunk_strings = hunks.map(h => {
+		const range = `@@ -${h.old_start},${h.old_count} +${h.new_start},${h.new_count} @@`
+		return `${range}\n${h.lines.join('\n')}`
+	})
+
+	return `${header}\n${hunk_strings.join('\n')}`
+}
+
+module.exports = { unified_diff }

package/src/validation/dependency_rules.js

@@ -0,0 +1,309 @@
+const { error: { catch_errors } } = require('puffy-core')
+const { SKILL_JSON } = require('../constants')
+
+const RESULT_FILE = SKILL_JSON
+
+const result = (field, rule, severity, message, value) => ({
+	file: RESULT_FILE, field, rule, severity, message, ...(value !== undefined ? { value } : {})
+})
+
+// ---------------------------------------------------------------------------
+// Local rules (no API needed)
+// ---------------------------------------------------------------------------
+
+const check_self_reference = (manifest) => {
+	const results = []
+	const deps = manifest.dependencies || {}
+	const dep_names = Object.keys(deps)
+
+	if (dep_names.length === 0) {
+		results.push(result('dependencies', 'dep-self-reference', 'pass', 'No dependencies declared'))
+		return results
+	}
+
+	for (const dep of dep_names) {
+		const dep_short = dep.includes('/') ? dep.split('/')[1] : dep
+		if (dep_short === manifest.name || dep === manifest.name) {
+			results.push(result('dependencies', 'dep-self-reference', 'error',
+				`Skill depends on itself: "${dep}". Remove this self-reference from dependencies.`, dep))
+		}
+	}
+
+	if (!results.some(r => r.rule === 'dep-self-reference' && r.severity === 'error')) {
+		results.push(result('dependencies', 'dep-self-reference', 'pass', 'No self-references in dependencies'))
+	}
+
+	return results
+}
+
+// ---------------------------------------------------------------------------
+// Registry rules (require API access)
+// ---------------------------------------------------------------------------
+
+const check_deps_exist = async (manifest, repos_api) => {
+	const results = []
+	const deps = manifest.dependencies || {}
+	const dep_names = Object.keys(deps)
+
+	if (dep_names.length === 0) return results
+
+	const checks = await Promise.all(dep_names.map(async (dep) => {
+		const parts = dep.split('/')
+		if (parts.length !== 2) return { dep, error: `Invalid dependency format: "${dep}". Must be owner/name.` }
+		const [owner, name] = parts
+		const [err] = await repos_api.get_repo(owner, name, { auth: true })
+		return { dep, error: err ? `Dependency "${dep}" not found in the registry.` : null }
+	}))
+
+	for (const { dep, error } of checks) {
+		if (error) {
+			results.push(result('dependencies', 'dep-exists', 'error', error, dep))
+		} else {
+			results.push(result('dependencies', 'dep-exists', 'pass', `Dependency "${dep}" exists`, dep))
+		}
+	}
+
+	return results
+}
+
+const check_visibility_direct = async (manifest, visibility, repos_api) => {
+	const results = []
+	const deps = manifest.dependencies || {}
+	const dep_names = Object.keys(deps)
+
+	if (dep_names.length === 0 || visibility !== 'public') return results
+
+	const checks = await Promise.all(dep_names.map(async (dep) => {
+		const parts = dep.split('/')
+		if (parts.length !== 2) return { dep, visibility: null, error: true }
+		const [owner, name] = parts
+		const [err, repo] = await repos_api.get_repo(owner, name, { auth: true })
+		if (err) return { dep, visibility: null, error: true }
+		return { dep, visibility: repo.visibility, error: false }
+	}))
+
+	for (const check of checks) {
+		if (check.error) continue // already reported by dep-exists
+
+		if (check.visibility === 'private') {
+			results.push(result('dependencies', 'dep-visibility-direct', 'error',
+				`Visibility mismatch: this skill is public but depends on "${check.dep}" which is private. ` +
+				`Unauthenticated users will not be able to install this skill. ` +
+				`To fix: make "${check.dep}" public, or remove it from dependencies.`,
+				check.dep))
+		} else if (check.visibility === 'workspace') {
+			results.push(result('dependencies', 'dep-visibility-workspace', 'warning',
+				`Visibility concern: this skill is public but depends on "${check.dep}" which is workspace-scoped. ` +
+				`Only workspace members will be able to install this skill. ` +
+				`To fix: make "${check.dep}" public for full availability.`,
+				check.dep))
+		} else {
+			results.push(result('dependencies', 'dep-visibility-direct', 'pass',
+				`Dependency "${check.dep}" is public`, check.dep))
+		}
+	}
+
+	return results
+}
+
+const check_visibility_transitive = async (manifest, visibility, repos_api) => {
+	const results = []
+	const deps = manifest.dependencies || {}
+
+	if (Object.keys(deps).length === 0 || visibility !== 'public') return results
+
+	// Use resolve-dependencies to get the full transitive tree
+	const skill_name = manifest._full_name
+	if (!skill_name) return results // can't check without full name
+
+	const [err, data] = await repos_api.resolve_dependencies(skill_name, manifest.version || 'latest', {})
+	if (err) {
+		results.push(result('dependencies', 'dep-visibility-transitive', 'warning',
+			'Could not resolve full dependency tree to check transitive visibility. ' +
+			'Run this check again when connected to the registry.'))
+		return results
+	}
+
+	const packages = data.packages || []
+	const skipped = data.skipped || []
+
+	// Check transitive packages returned by the server for non-public visibility
+	const direct_deps = new Set(Object.keys(deps))
+	for (const pkg of packages) {
+		if (pkg.skill === skill_name) continue // skip self
+		if (direct_deps.has(pkg.skill)) continue // already checked by dep-visibility-direct
+		if (pkg.visibility && pkg.visibility !== 'public') {
+			const chain = _build_chain_from_packages(skill_name, pkg.skill, packages)
+			const chain_str = chain.join(' → ')
+			results.push(result('dependencies', 'dep-visibility-transitive', 'error',
+				`Visibility mismatch in dependency tree: "${pkg.skill}" is ${pkg.visibility}. ` +
+				`Chain: ${chain_str}. ` +
+				`Unauthenticated users will not be able to install this skill. ` +
+				`To fix: make "${pkg.skill}" public, or remove it from "${chain[chain.length - 2]}"'s dependencies.`,
+				pkg.skill))
+		}
+	}
+
+	// Skipped deps (access denied, not found) are also visibility issues
+	for (const s of skipped) {
+		if (s.reason === 'access_denied') {
+			results.push(result('dependencies', 'dep-visibility-transitive', 'error',
+				`Visibility mismatch in dependency tree: "${s.skill}" is ${s.visibility || 'private'} ` +
+				`(required by ${s.required_by}). ` +
+				`Unauthenticated users will not be able to install this skill. ` +
+				`To fix: make "${s.skill}" public, or remove it from "${s.required_by}"'s dependencies.`,
+				s.skill))
+		} else if (s.reason === 'not_found') {
+			results.push(result('dependencies', 'dep-visibility-transitive', 'error',
+				`Missing dependency in tree: "${s.skill}" not found in registry ` +
+				`(required by ${s.required_by}).`,
+				s.skill))
+		}
+	}
+
+	if (!results.some(r => r.rule === 'dep-visibility-transitive' && r.severity !== 'pass')) {
+		results.push(result('dependencies', 'dep-visibility-transitive', 'pass',
+			'All transitive dependencies are public'))
+	}
+
+	return results
+}
+
+const check_circular = async (manifest, repos_api) => {
+	const results = []
+	const deps = manifest.dependencies || {}
+
+	if (Object.keys(deps).length === 0) return results
+
+	const skill_name = manifest._full_name
+	if (!skill_name) return results
+
+	const [err, data] = await repos_api.resolve_dependencies(skill_name, manifest.version || 'latest', {})
+	if (err) return results
+
+	const packages = data.packages || []
+
+	// Build adjacency map from declared dependencies
+	const adj = {}
+	for (const pkg of packages) {
+		adj[pkg.skill] = Object.keys(pkg.dependencies || {})
+	}
+
+	// DFS cycle detection
+	const WHITE = 0, GRAY = 1, BLACK = 2
+	const color = {}
+	const parent = {}
+	const cycles = []
+
+	const dfs = (node, path_so_far) => {
+		color[node] = GRAY
+		for (const neighbor of (adj[node] || [])) {
+			if (color[neighbor] === GRAY) {
+				// Found a cycle — extract it
+				const cycle_start = path_so_far.indexOf(neighbor)
+				if (cycle_start >= 0) {
+					cycles.push([...path_so_far.slice(cycle_start), neighbor])
+				} else {
+					cycles.push([node, neighbor])
+				}
+			} else if ((color[neighbor] || WHITE) === WHITE) {
+				dfs(neighbor, [...path_so_far, neighbor])
+			}
+		}
+		color[node] = BLACK
+	}
+
+	for (const node of Object.keys(adj)) {
+		if ((color[node] || WHITE) === WHITE) {
+			dfs(node, [node])
+		}
+	}
+
+	if (cycles.length > 0) {
+		for (const cycle of cycles) {
+			results.push(result('dependencies', 'dep-circular', 'error',
+				`Circular dependency detected: ${cycle.join(' → ')}. ` +
+				`Remove one direction of the dependency to break the cycle.`,
+				cycle))
+		}
+	} else {
+		results.push(result('dependencies', 'dep-circular', 'pass',
+			'No circular dependencies detected'))
+	}
+
+	return results
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const _build_chain_from_packages = (root, target, packages) => {
+	const adj = {}
+	for (const pkg of packages) {
+		adj[pkg.skill] = Object.keys(pkg.dependencies || {})
+	}
+
+	const queue = [[root]]
+	const seen = new Set([root])
+	while (queue.length) {
+		const path = queue.shift()
+		const node = path[path.length - 1]
+		if (node === target) return path
+		for (const child of (adj[node] || [])) {
+			if (!seen.has(child)) {
+				seen.add(child)
+				queue.push([...path, child])
+			}
+		}
+	}
+	return [root, target]
+}
+
+// ---------------------------------------------------------------------------
+// Main entry point
+// ---------------------------------------------------------------------------
+
+/**
+ * Validate dependency rules.
+ *
+ * @param {string} dir - Skill directory path
+ * @param {object} manifest - Parsed skill.json
+ * @param {object} [options]
+ * @param {boolean}     [options.registry]  - Whether to run registry checks (default: false)
+ * @param {string}      [options.visibility] - Skill's target visibility ('public'|'private'|'workspace')
+ * @param {string}      [options.full_name]  - Full "owner/name" for registry lookups
+ * @param {object}      [options.repos_api]  - API module override (for testing)
+ */
+const validate_dependencies = (dir, manifest, options = {}) =>
+	catch_errors('Dependency validation failed', async () => {
+		const { registry = false, visibility = 'private', full_name, repos_api: api_override } = options
+		const all_results = []
+
+		// Always run local checks
+		all_results.push(...check_self_reference(manifest))
+
+		if (!registry) {
+			return all_results
+		}
+
+		// Registry checks require the API
+		const repos_api = api_override || require('../api/repos')
+		const enriched = { ...manifest, _full_name: full_name }
+
+		const [exist_results, vis_direct_results, vis_trans_results, circ_results] = await Promise.all([
+			check_deps_exist(enriched, repos_api),
+			check_visibility_direct(enriched, visibility, repos_api),
+			check_visibility_transitive(enriched, visibility, repos_api),
+			check_circular(enriched, repos_api)
+		])
+
+		all_results.push(...exist_results)
+		all_results.push(...vis_direct_results)
+		all_results.push(...vis_trans_results)
+		all_results.push(...circ_results)
+
+		return all_results
+	})
+
+module.exports = { validate_dependencies }