happyskills 1.10.1 → 1.12.0

package/CHANGELOG.md

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [1.12.0] - 2026-06-22
+
+### Added
+
+- Add a `--visibility <private|workspace|public>` flag to `publish` and `release`, making a workspace-visible first publish a single step. Previously the publish path could only emit `public` (via `--public`) or `private`, so shipping a skill as `workspace`-visible (discoverable and installable by every member of the owning workspace, but not public) required a second `visibility` command after publishing. The flag is honored on first publish only — later publishes preserve the existing visibility — and `--visibility` takes precedence over `--public`. `--public` is retained as a backward-compatible shorthand for `--visibility public`; the never-functional `--private` flag (always a silent no-op, since private is the default) is dropped from the documented examples.
+
+### Security
+
+- Cap `.tar.gz` decompression during install — enforce per-file size, total decompressed size, and entry-count limits mid-stream (and reject an oversized download by `Content-Length` before buffering), so a malicious highly-compressible archive can't inflate unbounded and exhaust the consumer's memory/disk. (SSRF-01/SUP-04)
+- Scrub C0/C1 terminal control bytes (`ESC`, `CR`, `BEL`, `DEL`, …) from server-supplied strings at the print boundary, so a crafted skill name or API message can't spoof or attack the terminal. (NEW-C2)
+- Guard server-derived install paths with an `assert_within` check, so a `..` or absolute skill name can't escape the skills directory on install. (NEW-C3)
+- Expand the secret scrubber to redact GitHub tokens (`gh[pousr]_`), AWS access-key IDs (`AKIA`/`ASIA…`), and `postgres://`/`postgresql://` connection strings before feedback context is sent to the backend. (DATA-04)
+- Pin all CLI runtime dependencies to exact locked versions for a reproducible published package. (SUP-09)
+
+## [1.11.0] - 2026-06-12
+
+### Added
+
+- Add `--full-report` support to `pull --rebase`. A clean rebase now attaches the same review enrichment as the 3-way merge mode — per-file inline content (`base_content`, `local_content`, `remote_content`, `merged_content`) for every changed file plus a `resolution_steps` array — to the rebase result, so an agent can run a post-merge semantic-coherence review without extra file reads. Previously `--full-report` was accepted but silently ignored on the rebase path, so the LLM-preferred mode produced no review payload.
+
+### Fixed
+
+- Fix re-pull conflict resolution being a silent no-op. After a conflicted `pull` wrote conflict markers, re-running `pull <skill> --theirs` / `--ours` / `--force` returned `up_to_date` and left the markers in place, so the documented conflict-resolution recipes could not work: a conflicted pull advances the lock's `base_commit` to the remote head, after which every re-pull sees no remote changes and short-circuits before the strategy logic runs. Re-pull now resolves pending conflicts before that short-circuit — `--theirs` / `--ours` (global or per-file) keep the chosen side, strip the markers, recompute integrity, and clear the resolved files from `conflict_files`; `--force` falls through to a fast-forward that overwrites even with conflicts pending; and a bare re-pull reports the pending conflict state (`status: conflicts` with the `conflict_files` list) instead of a misleading `up_to_date`.
+
 ## [1.10.1] - 2026-06-09
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "happyskills",
-	"version": "1.10.1",
+	"version": "1.12.0",
 	"description": "Package manager for AI agent skills",
 	"license": "SEE LICENSE IN LICENSE",
 	"author": "Nicolas Dao <nic@cloudlesslabs.com> (https://cloudlesslabs.com)",
@@ -43,14 +43,14 @@
 		"node": ">=22.0.0"
 	},
 	"dependencies": {
-		"@jimp/core": "^1.6.0",
-		"@jimp/js-jpeg": "^1.6.0",
-		"@jimp/js-png": "^1.6.0",
-		"@jimp/plugin-resize": "^1.6.0",
-		"node-diff3": "^3.2.0",
-		"puffy-core": "^1.3.1",
-		"semver": "^7.6.0",
-		"tar-stream": "^3.1.8"
+		"@jimp/core": "1.6.1",
+		"@jimp/js-jpeg": "1.6.1",
+		"@jimp/js-png": "1.6.1",
+		"@jimp/plugin-resize": "1.6.1",
+		"node-diff3": "3.2.0",
+		"puffy-core": "1.3.1",
+		"semver": "7.7.4",
+		"tar-stream": "3.1.8"
 	},
 	"devDependencies": {
 		"dotenv": "^17.2.4"

package/src/commands/publish.js

@@ -36,16 +36,40 @@ Arguments:
 Options:
   --bump <type>          Auto-bump version before publishing (patch, minor, major)
   --workspace <slug>     Target workspace (overrides lock file owner)
-  --public               Publish as public (default is private)
+  --visibility <value>   Visibility on first publish: private (default), workspace, or public
+  --public               Shorthand for --visibility public
   --force                Bypass divergence check (may overwrite remote changes)
 
 Aliases: pub
 
+Visibility (set on first publish; preserved on later publishes):
+  private    (default) Only people you explicitly grant access to.
+  workspace  Every member of the owning workspace can find and install it. Not public.
+  public     Anyone — listed in the public registry.
+
 Examples:
   happyskills publish my-skill
   happyskills publish deploy-aws --bump patch
+  happyskills publish team-deploy --workspace acme --visibility workspace
   happyskills pub my-skill --workspace myorg`
 
+const VALID_VISIBILITIES = ['public', 'private', 'workspace']
+
+// Resolve the target visibility from flags. --visibility wins when present
+// (validated against the closed set); --public stays as a backward-compatible
+// shorthand; the default is private. Visibility only takes effect on FIRST
+// publish — later publishes preserve whatever the registry already has.
+const resolve_visibility = (flags) => {
+	if (flags.visibility) {
+		if (!VALID_VISIBILITIES.includes(flags.visibility)) {
+			throw new UsageError(`Invalid visibility "${flags.visibility}". Must be one of: ${VALID_VISIBILITIES.join(', ')}.`)
+		}
+		return flags.visibility
+	}
+	if (flags.public) return 'public'
+	return 'private'
+}
+
 const choose_workspace = (workspaces, preferred) => {
 	if (preferred) {
 		const found = workspaces.find(w => w.slug === preferred)
@@ -136,7 +160,7 @@ const run = (args) => catch_errors('Publish failed', async () => {
 
 	const spinner = create_spinner('Preparing to publish...')
 
-	const visibility = args.flags.public ? 'public' : 'private'
+	const visibility = resolve_visibility(args.flags)
 
 	let owner = args.flags.workspace
 	if (!owner) {
@@ -348,11 +372,12 @@ const schema = {
 	input: {
 		positional: [ { name: 'skill', required: true, type: 'string', description: 'Name of the installed skill' } ],
 		flags: [
-			{ name: 'bump',      type: 'string',  default: undefined, description: 'Auto-bump version before publishing (patch, minor, major)' },
-			{ name: 'workspace', type: 'string',  default: undefined, description: 'Target workspace (overrides lock file owner)' },
-			{ name: 'public',    type: 'boolean', default: false,     description: 'Publish as public (default is private)' },
-			{ name: 'force',     type: 'boolean', default: false,     description: 'Bypass divergence check (may overwrite remote changes)' },
-			{ name: 'json',      type: 'boolean', default: false,     description: 'Output as JSON' },
+			{ name: 'bump',       type: 'string',  default: undefined, description: 'Auto-bump version before publishing (patch, minor, major)' },
+			{ name: 'workspace',  type: 'string',  default: undefined, description: 'Target workspace (overrides lock file owner)' },
+			{ name: 'visibility', type: 'string',  default: undefined, description: 'Visibility on first publish: private (default), workspace, or public' },
+			{ name: 'public',     type: 'boolean', default: false,     description: 'Shorthand for --visibility public' },
+			{ name: 'force',      type: 'boolean', default: false,     description: 'Bypass divergence check (may overwrite remote changes)' },
+			{ name: 'json',       type: 'boolean', default: false,     description: 'Output as JSON' },
 		],
 	},
 	output: {
@@ -375,7 +400,8 @@ const schema = {
 	examples: [
 		'happyskills publish my-skill',
 		'happyskills publish deploy-aws --bump patch',
+		'happyskills publish team-deploy --workspace acme --visibility workspace',
 	],
 }
 
-module.exports = { run, schema }
+module.exports = { run, schema, resolve_visibility }

package/src/commands/publish.test.js

@@ -2,14 +2,15 @@ const { describe, it } = require('node:test')
 const assert = require('node:assert')
 const fs = require('node:fs')
 const path = require('node:path')
+const { resolve_visibility } = require('./publish')
 
 describe('publish.js — Bug 1 regression: visibility temporal-dead-zone', () => {
 	const src = fs.readFileSync(path.join(__dirname, 'publish.js'), 'utf8')
 
 	it('declares `visibility` before passing it to validate_dependencies', () => {
-		const decl_idx = src.search(/const\s+visibility\s*=\s*args\.flags\.public/)
+		const decl_idx = src.search(/const\s+visibility\s*=\s*resolve_visibility\(/)
 		const use_idx = src.search(/validate_dependencies\([\s\S]*?visibility/)
-		assert.notStrictEqual(decl_idx, -1, '`const visibility = args.flags.public ? ...` declaration not found')
+		assert.notStrictEqual(decl_idx, -1, '`const visibility = resolve_visibility(...)` declaration not found')
 		assert.notStrictEqual(use_idx, -1, '`validate_dependencies(... visibility ...)` call not found')
 		assert.ok(
 			decl_idx < use_idx,
@@ -19,3 +20,30 @@ describe('publish.js — Bug 1 regression: visibility temporal-dead-zone', () =>
 		)
 	})
 })
+
+describe('publish.js — resolve_visibility', () => {
+	it('defaults to private when no visibility flags are given', () => {
+		assert.strictEqual(resolve_visibility({}), 'private')
+	})
+
+	it('maps --public to public (backward-compatible shorthand)', () => {
+		assert.strictEqual(resolve_visibility({ public: true }), 'public')
+	})
+
+	it('accepts --visibility workspace', () => {
+		assert.strictEqual(resolve_visibility({ visibility: 'workspace' }), 'workspace')
+	})
+
+	it('accepts --visibility private and --visibility public', () => {
+		assert.strictEqual(resolve_visibility({ visibility: 'private' }), 'private')
+		assert.strictEqual(resolve_visibility({ visibility: 'public' }), 'public')
+	})
+
+	it('lets --visibility win over --public when both are present', () => {
+		assert.strictEqual(resolve_visibility({ visibility: 'workspace', public: true }), 'workspace')
+	})
+
+	it('throws a usage error on an unknown visibility value', () => {
+		assert.throws(() => resolve_visibility({ visibility: 'team' }), /Invalid visibility/)
+	})
+})

package/src/commands/pull.js

@@ -7,6 +7,7 @@ const { detect_status } = require('../merge/detector')
 const { classify_changes } = require('../merge/comparator')
 const { build_report, enrich_file_content, build_resolution_steps } = require('../merge/report')
 const { three_way_merge } = require('../merge/text_merge')
+const { resolve_markers } = require('../merge/marker_resolve')
 const { merge_skill_json } = require('../merge/json_merge')
 const { merge_changelog } = require('../merge/changelog_merge')
 const { hash_blob } = require('../utils/git_hash')
@@ -117,7 +118,7 @@ const run = (args) => catch_errors('Pull failed', async () => {
 	// first capture/fast-forward/reapply flow with structured rejection envelopes.
 	if (args.flags.rebase) {
 		const { rebase_pull } = require('../merge/rebase')
-		const [err, result] = await rebase_pull(skill_name, { project_root: find_project_root(), is_global })
+		const [err, result] = await rebase_pull(skill_name, { project_root: find_project_root(), is_global, full_report })
 		if (err) throw err
 		if (args.flags.json) {
 			print_json({
@@ -194,6 +195,35 @@ const run = (args) => catch_errors('Pull failed', async () => {
 	const base_dir = skills_dir(is_global, project_root)
 	const skill_dir = skill_install_dir(base_dir, repo)
 
+	// Resolve pending conflict markers from a prior pull — local, no registry.
+	// A conflicted pull advanced base_commit to the remote head, so a re-pull
+	// sees no remote changes and would short-circuit to up_to_date, stranding
+	// the markers in place. When the operator supplies a side (--theirs/--ours,
+	// global or per-file), resolve those files here, before the remote
+	// comparison runs. --force is excluded — it means "re-clone the head", which
+	// the fast-forward block below handles.
+	const pending_conflicts = Array.isArray(lock_entry.conflict_files) ? lock_entry.conflict_files : []
+	const has_pending_resolution = pending_conflicts.length > 0 && strategy !== 'force' &&
+		pending_conflicts.some(f => { const s = file_strategy(f); return s === 'theirs' || s === 'ours' })
+	if (has_pending_resolution) {
+		const [res_err, result] = await resolve_pending_conflicts({
+			skill_dir, lock_entry, lock_data, skill_name, file_strategy,
+			is_global, project_root, conflict_files: pending_conflicts
+		})
+		if (res_err) throw res_err[0]
+		if (args.flags.json) {
+			print_json({ data: result })
+		} else {
+			print_success(`Resolved ${result.resolved.length} conflicted file(s) in ${skill_name}`)
+			if (result.conflict_files.length > 0) {
+				print_warn(`${result.conflict_files.length} file(s) still have unresolved conflicts:`)
+				for (const f of result.conflict_files) console.error(`  - ${f}`)
+				print_hint(`Supply a side for them with ${code('--theirs')}/${code('--ours')}, or resolve the markers by hand.`)
+			}
+		}
+		return
+	}
+
 	const spinner = create_spinner(`Pulling ${skill_name}...`)
 
 	// 2. Detect local modifications
@@ -208,8 +238,24 @@ const run = (args) => catch_errors('Pull failed', async () => {
 	const no_remote_changes = cmp_data.added.length === 0 && cmp_data.removed.length === 0 && cmp_data.modified.length === 0
 
 	// 4. Already up to date?
-	if (no_remote_changes) {
+	// When --force is set with conflicts still pending, do NOT short-circuit —
+	// fall through to the fast-forward block below, which re-clones the head and
+	// overwrites (the true meaning of --force).
+	if (no_remote_changes && !(strategy === 'force' && pending_conflicts.length > 0)) {
 		spinner.stop()
+		if (pending_conflicts.length > 0) {
+			// Markers from a prior pull are still pending and no per-file
+			// resolution strategy was supplied — surface that instead of a
+			// misleading up_to_date so the operator knows resolution is pending.
+			if (args.flags.json) {
+				print_json({ data: { status: 'conflicts', skill: skill_name, conflict_files: pending_conflicts } })
+			} else {
+				print_warn(`${skill_name} has unresolved conflict markers in ${pending_conflicts.length} file(s):`)
+				for (const f of pending_conflicts) console.error(`  - ${f}`)
+				print_hint(`Re-pull with ${code('--theirs')}/${code('--ours')} to pick a side, or resolve the markers by hand.`)
+			}
+			return
+		}
 		if (args.flags.json) {
 			print_json({ data: { status: 'up_to_date', skill: skill_name } })
 		} else {
@@ -611,6 +657,52 @@ const reconcile_dependencies = (skill_dir, skill_name, lock_data, is_global, pro
 		}
 	})
 
+// ─── Pending-conflict resolution (marker-based re-pull) ─────────────────────────
+
+// Resolve pending conflict markers locally by picking a side per file. Pure
+// disk + lock work — no registry interaction, because the conflicted pull that
+// wrote the markers already advanced base_commit to the remote head. Mirrors
+// the 3-way path's lock-update: recompute integrity, then clear resolved files
+// from conflict_files (deleting the key when none remain → status returns to
+// clean, matching post-merge behavior). Files listed in conflict_files but
+// missing on disk, or without a theirs/ours strategy, stay in conflict_files.
+const resolve_pending_conflicts = ({ skill_dir, lock_entry, lock_data, skill_name, file_strategy, is_global, project_root, conflict_files }) =>
+	catch_errors('Failed to resolve pending conflicts', async () => {
+		const resolved = []
+		const unresolved = []
+		for (const rel of conflict_files) {
+			const strat = file_strategy(rel)
+			if (strat !== 'theirs' && strat !== 'ours') { unresolved.push(rel); continue }
+			const full = path.join(skill_dir, rel)
+			let text
+			try {
+				text = await fs.promises.readFile(full, 'utf-8')
+			} catch {
+				// Listed in conflict_files but missing on disk — cannot resolve here.
+				unresolved.push(rel)
+				continue
+			}
+			const side = strat === 'theirs' ? 'remote' : 'local'
+			await fs.promises.writeFile(full, resolve_markers(text, side))
+			resolved.push(rel)
+		}
+
+		const [, new_integrity] = await hash_directory(skill_dir)
+		const updated_entry = {
+			...lock_entry,
+			integrity: new_integrity || lock_entry.integrity,
+			base_integrity: new_integrity || lock_entry.base_integrity
+		}
+		if (unresolved.length > 0) updated_entry.conflict_files = unresolved
+		else delete updated_entry.conflict_files
+		const merged_skills = update_lock_skills(lock_data, { [skill_name]: updated_entry })
+		const [wl_err] = await write_lock(lock_root(is_global, project_root), merged_skills)
+		if (wl_err) throw wl_err[0]
+
+		const status = unresolved.length > 0 ? 'conflicts' : 'merged'
+		return { status, skill: skill_name, resolved, conflict_files: unresolved }
+	})
+
 const schema = {
 	name: 'pull',
 	audience: 'consumer',
@@ -657,4 +749,4 @@ const schema = {
 	]
 }
 
-module.exports = { run, schema }
+module.exports = { run, schema, resolve_pending_conflicts }

package/src/commands/pull.test.js

@@ -0,0 +1,199 @@
+'use strict'
+const { describe, it } = require('node:test')
+const assert = require('node:assert/strict')
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+
+const repos_api = require('../api/repos')
+const pull = require('./pull')
+
+// ─── Harness ────────────────────────────────────────────────────────────────
+
+const MARKERED_SKILL_MD = [
+	'# Deploy AWS',
+	'',
+	'<<<<<<< LOCAL',
+	'local instructions',
+	'=======',
+	'remote instructions',
+	'>>>>>>> REMOTE',
+	'',
+	'trailing section',
+	''
+].join('\n')
+
+// Stub the registry surface used by `run`. compare reports no remote changes
+// (base_commit == head), which is the post-conflict state: a prior conflicted
+// pull already advanced base_commit to head. clone returns base files so the
+// pre-fix detect_status fallback (find_modified_files) stays hermetic.
+const with_stubbed_registry = async (head_commit, fn) => {
+	const orig = { compare: repos_api.compare, clone: repos_api.clone, get_blob: repos_api.get_blob }
+	repos_api.compare = async () => [null, { added: [], removed: [], modified: [], head_commit, head_version: '1.0.1' }]
+	repos_api.clone = async () => [null, { ref: 'refs/tags/v1.0.0', commit: head_commit, files: [
+		{ path: 'SKILL.md', content: Buffer.from('# Deploy AWS\n').toString('base64'), sha: 'sha-base-skillmd' },
+		{ path: 'skill.json', content: Buffer.from('{"name":"deploy-aws","version":"1.0.0"}').toString('base64'), sha: 'sha-base-json' }
+	] }]
+	repos_api.get_blob = async () => [null, { content: Buffer.from('').toString('base64') }]
+	try { return await fn() } finally { Object.assign(repos_api, orig) }
+}
+
+const capture_stdout = async (fn) => {
+	const orig = console.log
+	const lines = []
+	console.log = (...a) => lines.push(a.map(String).join(' '))
+	try { await fn() } finally { console.log = orig }
+	return lines.join('\n')
+}
+
+const setup_conflicted_skill = (head_commit, opts = {}) => {
+	const root = fs.mkdtempSync(path.join(os.tmpdir(), 'hs-pull-test-'))
+	const skill_dir = path.join(root, '.agents', 'skills', 'deploy-aws')
+	fs.mkdirSync(skill_dir, { recursive: true })
+	fs.writeFileSync(path.join(skill_dir, 'SKILL.md'), opts.skill_md || MARKERED_SKILL_MD)
+	fs.writeFileSync(path.join(skill_dir, 'skill.json'), JSON.stringify({ name: 'deploy-aws', version: '1.0.0' }, null, '\t'))
+	const lock = {
+		lockVersion: 2,
+		generatedAt: '2026-06-10T00:00:00.000Z',
+		skills: {
+			'acme/deploy-aws': {
+				version: '1.0.0',
+				ref: 'refs/tags/v1.0.0',
+				commit: head_commit,
+				integrity: 'sha256-stale',
+				base_commit: head_commit,
+				base_integrity: 'sha256-stale',
+				conflict_files: opts.conflict_files || ['SKILL.md'],
+				requested_by: ['__root__'],
+				dependencies: {}
+			}
+		}
+	}
+	fs.writeFileSync(path.join(root, 'skills-lock.json'), JSON.stringify(lock, null, 2))
+	return { root, skill_dir }
+}
+
+const read_lock_entry = (root) =>
+	JSON.parse(fs.readFileSync(path.join(root, 'skills-lock.json'), 'utf-8')).skills['acme/deploy-aws']
+
+const run_pull = (root, head, flags) => with_stubbed_registry(head, () => capture_stdout(async () => {
+	const orig_cwd = process.cwd()
+	process.chdir(root)
+	try { await pull.run({ _: ['acme/deploy-aws'], flags }) } finally { process.chdir(orig_cwd) }
+}))
+
+// ─── §4.1 repro: dead re-pull paths ──────────────────────────────────────────
+
+describe('pull §4.1 — re-pull resolves pending conflict markers', () => {
+	it('--theirs resolves markers to the remote side, clears conflict_files, recomputes integrity', async () => {
+		const head = 'head_commit_abc'
+		const { root, skill_dir } = setup_conflicted_skill(head)
+		try {
+			const out = await run_pull(root, head, { theirs: true, json: true })
+			const env = JSON.parse(out)
+			assert.strictEqual(env.data.status, 'merged', 'status should be merged after full resolution')
+
+			const skill_md = fs.readFileSync(path.join(skill_dir, 'SKILL.md'), 'utf-8')
+			assert.ok(!skill_md.includes('<<<<<<<'), 'LOCAL marker must be gone')
+			assert.ok(!skill_md.includes('>>>>>>>'), 'REMOTE marker must be gone')
+			assert.ok(!skill_md.includes('======='), 'separator must be gone')
+			assert.ok(skill_md.includes('remote instructions'), 'remote side kept')
+			assert.ok(!skill_md.includes('local instructions'), 'local side dropped')
+
+			const entry = read_lock_entry(root)
+			assert.ok(!entry.conflict_files, 'conflict_files cleared from lock')
+			assert.notStrictEqual(entry.integrity, 'sha256-stale', 'integrity recalculated')
+			assert.strictEqual(entry.integrity, entry.base_integrity, 'integrity and base_integrity match (clean)')
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+
+	it('--ours resolves markers to the local side', async () => {
+		const head = 'head_commit_def'
+		const { root, skill_dir } = setup_conflicted_skill(head)
+		try {
+			const out = await run_pull(root, head, { ours: true, json: true })
+			const env = JSON.parse(out)
+			assert.strictEqual(env.data.status, 'merged')
+			const skill_md = fs.readFileSync(path.join(skill_dir, 'SKILL.md'), 'utf-8')
+			assert.ok(skill_md.includes('local instructions'), 'local side kept')
+			assert.ok(!skill_md.includes('remote instructions'), 'remote side dropped')
+			assert.ok(!skill_md.includes('<<<<<<<'))
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+
+	it('bare re-pull surfaces the pending conflict state instead of up_to_date', async () => {
+		const head = 'head_commit_ghi'
+		const { root, skill_dir } = setup_conflicted_skill(head)
+		try {
+			const out = await run_pull(root, head, { json: true })
+			const env = JSON.parse(out)
+			assert.strictEqual(env.data.status, 'conflicts', 'bare re-pull must not say up_to_date when conflicts pending')
+			assert.deepEqual(env.data.conflict_files, ['SKILL.md'])
+			// Markers untouched — nothing was resolved.
+			const skill_md = fs.readFileSync(path.join(skill_dir, 'SKILL.md'), 'utf-8')
+			assert.ok(skill_md.includes('<<<<<<<'), 'markers remain on a bare re-pull')
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+})
+
+// ─── §4.1 wiring: resolve_pending_conflicts ──────────────────────────────────
+
+describe('pull.resolve_pending_conflicts', () => {
+	const make_dir = () => fs.mkdtempSync(path.join(os.tmpdir(), 'hs-resolve-test-'))
+	const block = (l, r) => `<<<<<<< LOCAL\n${l}\n=======\n${r}\n>>>>>>> REMOTE\n`
+
+	it('applies a per-file strategy mix (theirs for one, ours for another)', async () => {
+		const root = make_dir()
+		try {
+			const skill_dir = path.join(root, '.agents', 'skills', 'deploy-aws')
+			fs.mkdirSync(path.join(skill_dir, 'references'), { recursive: true })
+			fs.writeFileSync(path.join(skill_dir, 'SKILL.md'), block('skill-local', 'skill-remote'))
+			fs.writeFileSync(path.join(skill_dir, 'references', 'foo.md'), block('foo-local', 'foo-remote'))
+			fs.writeFileSync(path.join(skill_dir, 'skill.json'), '{"name":"deploy-aws","version":"1.0.0"}')
+
+			const lock_entry = { version: '1.0.0', base_commit: 'h', integrity: 'sha256-stale', base_integrity: 'sha256-stale', conflict_files: ['SKILL.md', 'references/foo.md'] }
+			const lock_data = { lockVersion: 2, skills: { 'acme/deploy-aws': lock_entry } }
+			const file_strategy = (f) => f === 'SKILL.md' ? 'theirs' : f === 'references/foo.md' ? 'ours' : null
+
+			const [err, result] = await pull.resolve_pending_conflicts({
+				skill_dir, lock_entry, lock_data, skill_name: 'acme/deploy-aws',
+				file_strategy, is_global: false, project_root: root, conflict_files: ['SKILL.md', 'references/foo.md']
+			})
+			assert.ok(!err, 'no error')
+			assert.strictEqual(result.status, 'merged')
+			assert.deepEqual(result.resolved.sort(), ['SKILL.md', 'references/foo.md'])
+
+			assert.strictEqual(fs.readFileSync(path.join(skill_dir, 'SKILL.md'), 'utf-8'), 'skill-remote\n', 'theirs → remote')
+			assert.strictEqual(fs.readFileSync(path.join(skill_dir, 'references', 'foo.md'), 'utf-8'), 'foo-local\n', 'ours → local')
+
+			const entry = JSON.parse(fs.readFileSync(path.join(root, 'skills-lock.json'), 'utf-8')).skills['acme/deploy-aws']
+			assert.ok(!entry.conflict_files, 'conflict_files cleared')
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+
+	it('leaves a file listed in conflict_files but missing on disk unresolved', async () => {
+		const root = make_dir()
+		try {
+			const skill_dir = path.join(root, '.agents', 'skills', 'deploy-aws')
+			fs.mkdirSync(skill_dir, { recursive: true })
+			fs.writeFileSync(path.join(skill_dir, 'SKILL.md'), block('a', 'b'))
+			fs.writeFileSync(path.join(skill_dir, 'skill.json'), '{"name":"deploy-aws","version":"1.0.0"}')
+
+			const lock_entry = { version: '1.0.0', base_commit: 'h', integrity: 'sha256-stale', base_integrity: 'sha256-stale', conflict_files: ['SKILL.md', 'references/gone.md'] }
+			const lock_data = { lockVersion: 2, skills: { 'acme/deploy-aws': lock_entry } }
+			const file_strategy = () => 'theirs'
+
+			const [err, result] = await pull.resolve_pending_conflicts({
+				skill_dir, lock_entry, lock_data, skill_name: 'acme/deploy-aws',
+				file_strategy, is_global: false, project_root: root, conflict_files: ['SKILL.md', 'references/gone.md']
+			})
+			assert.ok(!err)
+			assert.strictEqual(result.status, 'conflicts', 'unresolved file keeps status conflicts')
+			assert.deepEqual(result.resolved, ['SKILL.md'])
+			assert.deepEqual(result.conflict_files, ['references/gone.md'])
+
+			const entry = JSON.parse(fs.readFileSync(path.join(root, 'skills-lock.json'), 'utf-8')).skills['acme/deploy-aws']
+			assert.deepEqual(entry.conflict_files, ['references/gone.md'], 'missing file stays in conflict_files')
+		} finally { fs.rmSync(root, { recursive: true, force: true }) }
+	})
+})

package/src/commands/release.js

@@ -34,13 +34,15 @@ Options:
   --no-bump                       Refuse to bump; require disk to be already ahead
   --changelog-from <auto|file>    Source for the new CHANGELOG entry (default: read from CHANGELOG.md)
   --workspace <slug>              Target workspace
-  --public | --private            Visibility on first publish only
+  --visibility <value>            Visibility on first publish: private (default), workspace, or public
+  --public                        Shorthand for --visibility public
   --dry-run                       Validate + check status, do not mutate
   --json                          Output as JSON
 
 Examples:
   happyskills release my-skill --workspace acme --json
   happyskills release my-skill --bump patch --workspace acme --json
+  happyskills release team-deploy --workspace acme --visibility workspace --json
   happyskills release my-skill --no-bump --json  # disk is already ahead`
 
 const envelope_error = (code_str, message, extra = {}) => ({ error: { code: code_str, message, ...extra } })
@@ -384,6 +386,7 @@ const orchestrate = (args) => catch_errors('Release failed', async () => {
 
 	const { spawn } = require('child_process')
 	const publish_args = [path.resolve(__dirname, '../../bin/happyskills.js'), 'publish', skill_name, '--workspace', resolved_workspace, '--json']
+	if (args.flags.visibility) publish_args.push('--visibility', args.flags.visibility)
 	if (args.flags.public) publish_args.push('--public')
 	if (args.flags.force) publish_args.push('--force')
 
@@ -494,7 +497,8 @@ const schema = {
 			{ name: 'no-bump',        type: 'boolean', default: false,     description: 'Refuse to bump; require disk to already be ahead' },
 			{ name: 'changelog-from', type: 'string',  default: undefined, description: 'Source for the new CHANGELOG entry (auto or file path)' },
 			{ name: 'workspace',      type: 'string',  default: undefined, description: 'Target workspace slug' },
-			{ name: 'public',         type: 'boolean', default: false,     description: 'Publish as public on first publish' },
+			{ name: 'visibility',     type: 'string',  default: undefined, description: 'Visibility on first publish: private (default), workspace, or public' },
+			{ name: 'public',         type: 'boolean', default: false,     description: 'Shorthand for --visibility public' },
 			{ name: 'dry-run',        type: 'boolean', default: false,     description: 'Validate and check status without mutating' },
 			{ name: 'json',           type: 'boolean', default: false,     description: 'Output as JSON' },
 		],

package/src/config/limits.js

@@ -3,9 +3,11 @@
 // validation will be rejected by the API.
 
 const MAX_FILE_SIZE = 1 * 1024 * 1024   // 1 MB per file
-const MAX_TOTAL_SIZE = 1 * 1024 * 1024  // 1 MB per skill bundle
+const MAX_TOTAL_SIZE = 1 * 1024 * 1024  // 1 MB per skill bundle (also the decompressed-archive cap — SUP-04)
+const MAX_FILE_COUNT = 1000             // max entries per archive (zip-bomb / DoS guard; real skills have <100 files) — SUP-04
 
 module.exports = {
 	MAX_FILE_SIZE,
-	MAX_TOTAL_SIZE
+	MAX_TOTAL_SIZE,
+	MAX_FILE_COUNT
 }

package/src/config/paths.js

@@ -22,6 +22,18 @@ const skills_dir = (global = false, project_root) => {
 	return global ? global_skills_dir() : project_skills_dir(project_root)
 }
 
+// NEW-C3 (spec 260603-02 §4 Tier 3). The install-dir name is server-derived; a
+// `..` or absolute component would let it escape the skills directory and write
+// elsewhere on disk. Defense-in-depth: confirm the joined path stays under base.
+const assert_within = (base, full) => {
+	const r_base = path.resolve(base)
+	const r_full = path.resolve(full)
+	if (r_full !== r_base && !r_full.startsWith(r_base + path.sep)) {
+		throw new Error(`Unsafe install path "${full}": escapes the skills directory ${base}`)
+	}
+	return full
+}
+
 const tmp_dir = (base_skills_dir) => path.join(base_skills_dir, '.tmp')
 
 const install_lock_path = (base_skills_dir) => path.join(base_skills_dir, '.install.lock')
@@ -32,7 +44,7 @@ const lock_root = (is_global, project_root) => {
 
 const lock_file_path = (project_root = process.cwd()) => path.join(project_root, 'skills-lock.json')
 
-const skill_install_dir = (base_skills_dir, name) => path.join(base_skills_dir, name)
+const skill_install_dir = (base_skills_dir, name) => assert_within(base_skills_dir, path.join(base_skills_dir, name))
 
 const find_project_root = (start_dir = process.cwd()) => path.resolve(start_dir)
 
@@ -41,8 +53,10 @@ const agent_skills_dir = (agent, global = false, project_root) => {
 	return path.join(project_root || process.cwd(), agent.skills_dir)
 }
 
-const agent_skill_install_dir = (agent, global, project_root, skill_name) =>
-	path.join(agent_skills_dir(agent, global, project_root), skill_name)
+const agent_skill_install_dir = (agent, global, project_root, skill_name) => {
+	const base = agent_skills_dir(agent, global, project_root)
+	return assert_within(base, path.join(base, skill_name))
+}
 
 module.exports = {
 	home_dir,
@@ -59,5 +73,6 @@ module.exports = {
 	skill_install_dir,
 	find_project_root,
 	agent_skills_dir,
-	agent_skill_install_dir
+	agent_skill_install_dir,
+	assert_within
 }

package/src/config/paths.test.js

@@ -143,4 +143,19 @@ describe('paths', () => {
 			assert.strictEqual(paths.find_project_root(), path.resolve(process.cwd()))
 		})
 	})
+
+	// NEW-C3 — the server-derived install-dir name must not escape the skills dir.
+	describe('install-dir path safety (NEW-C3)', () => {
+		const base = path.join(os.tmpdir(), 'hs-skills-base')
+
+		it('allows a normal (possibly nested) skill dir under base', () => {
+			assert.strictEqual(paths.skill_install_dir(base, 'owner/skill'), path.join(base, 'owner/skill'))
+			assert.strictEqual(paths.assert_within(base, path.join(base, 'a', 'b')), path.join(base, 'a', 'b'))
+		})
+
+		it('rejects a name that traverses out of base', () => {
+			assert.throws(() => paths.skill_install_dir(base, '../../etc/evil'), /escapes the skills directory/)
+			assert.throws(() => paths.assert_within(base, '/etc/passwd'), /escapes/)
+		})
+	})
 })