norn-cli 1.10.3 → 1.10.5

package/AGENTS.md

@@ -2,6 +2,14 @@
 
 These instructions apply to all conversations about the Norn VS Code extension.
 
+## Repo Boundary
+
+These instructions apply only inside `/Users/petercrest/Worktable/Projects/vsApi`.
+
+- Do **not** apply them to standalone work in sibling repos such as `/Users/petercrest/Worktable/Projects/norn_website`.
+- If a task is website-only, prefer the website repo's local instructions instead.
+- Only use these rules for cross-repo work when the task explicitly includes `vsApi`.
+
 ## CLI Support is Mandatory
 
 Every feature implementation must work in both:
@@ -17,10 +25,10 @@ Before considering any feature complete, verify it works in the CLI. The CLI sha
 **ALWAYS use the local compiled CLI:**
 ```bash
 # Correct - runs your local development version
-node ./dist/cli.js run tests/file.norn --env prelive
+node ./dist/cli.js tests/file.norn --env prelive
 
 # WRONG - runs the published npm package, ignores your changes
-npx norn run tests/file.norn
+npx norn tests/file.norn
 ```
 
 Before testing CLI changes:
@@ -33,6 +41,7 @@ When implementing features, check the `.github/skills/` directory for relevant s
 
 - **If a skill is incorrect or outdated:** Update it with the correct information
 - **If a skill is missing:** Create a new one following the Agent Skills format
+- After creating or editing skills, run `npm run validate:skills`
 
 Skills should capture lessons learned and patterns discovered during implementation to help future development.
 

package/CHANGELOG.md

@@ -4,6 +4,35 @@ All notable changes to the "Norn" extension will be documented in this file.
 
 ## [Unreleased]
 
+## [1.10.5] - 2026-03-28
+
+### Improved
+- **URL-Encoded Request Bodies (Extension + CLI)**:
+  - Added stricter shared validation for `application/x-www-form-urlencoded` request bodies so malformed lines now fail fast with clear preflight errors in both the editor and CLI.
+  - Added support for single-line ampersand-delimited form bodies such as `key1=value1&key2=value2`.
+  - Preserved raw-request header-group workflows by stripping standalone header-group lines from the request body before validation and send.
+
+### Fixed
+- **Imported Parameterized Sequences**:
+  - Fixed `.norn` import resolution so imported helper sequences keep their parameter lists and can be invoked correctly from other files.
+
+- **Form Body Syntax Highlighting**:
+  - Fixed `.norn` syntax coloring so URL-encoded body lines are highlighted correctly after inline headers in raw request blocks.
+
+## [1.10.4] - 2026-03-21
+
+### Improved
+- **Request Failure Response Panel**:
+  - Refreshed request-failure views with a clearer error summary, request context bar, structured issue cards, and common-cause guidance.
+
+### Changed
+- **Regression + Contributor Tooling**:
+  - Standardized regression test docs and scripts around `node ./dist/cli.js`, added `npm run validate:skills`, and refreshed bundled skill/demo assets.
+
+### Fixed
+- **SQL Server Live Regression Fixture**:
+  - Made the SQL Server Docker regression setup safe to rerun during repeated local release verification.
+
 ## [1.10.2] - 2026-03-15
 
 ### Fixed
@@ -677,8 +706,8 @@ All notable changes to the "Norn" extension will be documented in this file.
 - **Tag Diagnostics**: Warning when tags are placed incorrectly (not before `sequence`)
 
 ### Changed
-- **Regression Test Runner**: `run-all.sh` now supports `--tag` and `--tags` options
-  - Example: `./run-all.sh --tag smoke` runs only smoke-tagged sequences
+- **Regression Test Filtering**: Regression CLI runs support `--tag` and `--tags` options
+  - Example: `node ./dist/cli.js tests/Regression/ --env prelive --tag smoke` runs only smoke-tagged sequences
 
 ## [1.0.25] - 2026-01-28
 

package/demos/tests-showcase/01-single-requests.norn

@@ -0,0 +1,31 @@
+
+GET https://httpbin.org/uuid
+
+GET https://httpbin.org/anything/catalog?region=uk&segment=enterprise
+
+
+
+
+
+POST https://httpbin.org/post
+Content-Type: application/json
+Accept: application/json
+X-Demo-Stage: exploratory-json
+{
+    "customerId": "C-1001",
+    "workspace": "Northwind",
+    "plan": "Enterprise"
+}
+
+
+POST https://httpbin.org/post
+Content-Type: application/json
+Accept: application/json
+X-Demo-Stage: exploratory-quote
+X-Demo-Audience: exploratory-testers
+{
+    "customerId": "C-1001",
+    "step": "quote-preview",
+    "seats": 250,
+    "currency": "GBP"
+}

package/demos/tests-showcase/02-sequences.norn

@@ -0,0 +1,54 @@
+
+
+@demo
+test sequence SimpleRequestChain
+    print "Simple requests" | "Bare URLs become a repeatable flow with assertions."
+
+    GET https://httpbin.org/uuid
+    assert $1.status == 200
+    var traceId = $1.body.uuid
+
+    GET https://httpbin.org/anything/catalog?region=uk&segment=enterprise&trace={{traceId}}
+    assert $2.status == 200
+    assert $2.body.args.region == "uk"
+    assert $2.body.args.segment == "enterprise"
+    assert $2.body.url contains "{{traceId}}"
+
+    print "Trace id" | "{{traceId}}"
+end sequence
+
+@demo
+test sequence RichRequestChain
+    print "Headers and payloads" | "The same idea works when the requests carry real data."
+
+    var draft = POST https://httpbin.org/post
+    Content-Type: application/json
+    Accept: application/json
+    X-Demo-Stage: sequence-draft
+    {
+        "customerId": "C-1001",
+        "workspace": "Northwind",
+        "plan": "Enterprise"
+    }
+
+    assert draft.status == 200
+    assert draft.body.json.customerId == "C-1001"
+    var customerId = draft.body.json.customerId
+
+    var quote = POST https://httpbin.org/post
+    Content-Type: application/json
+    Accept: application/json
+    X-Demo-Stage: sequence-quote
+    {
+        "customerId": "{{customerId}}",
+        "step": "quote-preview",
+        "seats": 250,
+        "currency": "GBP"
+    }
+
+    assert quote.status == 200
+    assert quote.body.json.customerId == "C-1001"
+    assert quote.body.json.step == "quote-preview"
+
+    print "Chained value" | "customerId={{customerId}}"
+end sequence

package/demos/tests-showcase/03-sidecars.norn

@@ -0,0 +1,42 @@
+import "./demo-api.nornapi"
+
+@demo
+test sequence CleanerExplorationFlow
+    print "Cleaner requests" | "Shared setup moved into .nornapi and .nornenv."
+
+    var trace = GET GetTraceId
+    assert trace.status == 200
+
+    var catalog = GET BrowseCustomer({{demoCustomerId}}) DemoHeaders
+    assert catalog.status == 200
+    assert catalog.body.args.region == "uk"
+    assert catalog.body.url contains "/customers/C-1001"
+
+    print "Why this helps" | "The request lines stay focused on intent, not plumbing."
+end sequence
+
+@demo
+test sequence CleanerPayloadFlow
+    var draft = POST SaveDraft Json DemoHeaders
+    {
+        "customerId": "{{demoCustomerId}}",
+        "workspace": "{{workspaceName}}",
+        "owner": "{{ownerName}}"
+    }
+
+    assert draft.status == 200
+    assert draft.body.json.workspace == "Northwind-Workspace"
+
+    var quote = POST QuotePreview Json DemoHeaders
+    {
+        "customerId": "{{demoCustomerId}}",
+        "traceId": "{{tracePrefix}}-001",
+        "step": "quote-preview",
+        "seats": 250
+    }
+
+    assert quote.status == 200
+    assert quote.body.json.step == "quote-preview"
+
+    print "Cleaner file" | "Base URL, reusable headers, and shared names are all sidecars now."
+end sequence

package/demos/tests-showcase/04-api-plus-sql.norn

@@ -0,0 +1,27 @@
+import "./demo-api.nornapi"
+import "./db//testDb.nornsql"
+
+@demo
+test sequence ApiPlusSqlDemo
+    print "API plus SQL" | "Show the service call and the data-side check in one workflow."
+
+    var quote = POST QuotePreview Json DemoHeaders
+    {
+        "customerId": "{{demoCustomerId}}",
+        "step": "quote-preview",
+        "seats": 250,
+        "currency": "GBP"
+    }
+
+    assert quote.status == 200
+    assert quote.body.json.customerId == "C-1001"
+
+    var buyers = run sql ListBuyerAccounts("Enterprise")
+    assert buyers[0].Segment == "Enterprise"
+    assert buyers[0].Company == "Northwind Retail"
+
+    var audit = run sql RecordDemoRun("northwind@example.com", "buyer-showcase")
+    assert audit.affectedRows == 1
+
+    print "SQL sidecar" | "HTTP stays in .norn, SQL stays in .nornsql, config stays in sidecars."
+end sequence

package/demos/tests-showcase/db/testDb.nornsql

@@ -0,0 +1,12 @@
+connection buyerDemoDb
+
+query ListBuyerAccounts(segment)
+select Id, Company, Email, Segment
+from Buyers
+where Segment = :segment
+end query
+
+command RecordDemoRun(email, scenario)
+insert into DemoAudit (Email, Scenario)
+values (:email, :scenario)
+end command

package/demos/tests-showcase/demo-api.nornapi

@@ -0,0 +1,17 @@
+headers Json
+Content-Type: application/json
+Accept: application/json
+end headers
+
+headers DemoHeaders
+X-Demo-Stage: {{demoStage}}
+X-Demo-Audience: {{audience}}
+X-Demo-Owner: {{ownerName}}
+end headers
+
+endpoints
+    GetTraceId: GET {{baseUrl}}/uuid
+    BrowseCustomer: GET {{baseUrl}}/anything/customers/{customerId}?region={{region}}
+    SaveDraft: POST {{baseUrl}}/post
+    QuotePreview: POST {{baseUrl}}/post
+end endpoints

package/demos/tests-showcase/norn.adapters.json

@@ -0,0 +1,8 @@
+{
+  "version": 1,
+  "adapters": {
+    "buyer-demo-sql-adapter": {
+      "command": ["node", "./scripts/fake-sql-adapter.js"]
+    }
+  }
+}

package/demos/tests-showcase/norn.sql.json

@@ -0,0 +1,9 @@
+{
+  "version": 1,
+  "connections": {
+    "buyerDemoDb": {
+      "adapter": "buyer-demo-sql-adapter",
+      "profile": "buyerDemoDb"
+    }
+  }
+}

package/demos/tests-showcase/scripts/fake-sql-adapter.js

@@ -0,0 +1,70 @@
+const chunks = [];
+
+process.stdin.on('data', chunk => {
+  chunks.push(chunk);
+});
+
+process.stdin.on('end', () => {
+  try {
+    const request = JSON.parse(Buffer.concat(chunks).toString('utf8'));
+    const values = request.connection && request.connection.values ? request.connection.values : {};
+
+    if (!values.server || !values.database || !values.user || !values.password) {
+      process.stdout.write(JSON.stringify({
+        success: false,
+        error: 'Missing expected buyerDemoDb connection values'
+      }));
+      process.exit(0);
+      return;
+    }
+
+    switch (request.operation.name) {
+      case 'ListBuyerAccounts': {
+        const segment = request.params.segment;
+        process.stdout.write(JSON.stringify({
+          success: true,
+          result: {
+            kind: 'rows',
+            rowCount: 2,
+            rows: [
+              {
+                Id: 1,
+                Company: 'Northwind Retail',
+                Email: 'northwind@example.com',
+                Segment: segment
+              },
+              {
+                Id: 2,
+                Company: 'Contoso Services',
+                Email: 'contoso@example.com',
+                Segment: segment
+              }
+            ]
+          }
+        }));
+        return;
+      }
+
+      case 'RecordDemoRun':
+        process.stdout.write(JSON.stringify({
+          success: true,
+          result: {
+            kind: 'exec',
+            affectedRows: 1
+          }
+        }));
+        return;
+
+      default:
+        process.stdout.write(JSON.stringify({
+          success: false,
+          error: `Unknown buyer showcase SQL operation: ${request.operation.name}`
+        }));
+    }
+  } catch (error) {
+    process.stdout.write(JSON.stringify({
+      success: false,
+      error: error instanceof Error ? error.message : String(error)
+    }));
+  }
+});

package/dist/cli.js

@@ -102749,8 +102749,9 @@ ${resolvedContent}`);
           });
         } else {
           sequenceSources.set(lowerName, absolutePath);
+          const resolvedDeclaration = substituteVariables(seq.declaration, importedVariables);
           const resolvedContent = substituteVariables(seq.content, importedVariables);
-          importedContents.push(`sequence ${seq.name}
+          importedContents.push(`${resolvedDeclaration}
 ${resolvedContent}
 end sequence`);
         }
@@ -102781,17 +102782,20 @@ function extractSequencesFromText(text) {
   let currentSequence = null;
   for (let i = 0; i < lines.length; i++) {
     const line2 = lines[i].trim();
-    const sequenceMatch = line2.match(/^sequence\s+([a-zA-Z_][a-zA-Z0-9_-]*)$/);
+    const lineWithoutComment = stripInlineComment(line2);
+    const sequenceMatch = lineWithoutComment.match(/^sequence\s+([a-zA-Z_][a-zA-Z0-9_-]*)(\s*\([^)]*\))?\s*$/);
     if (sequenceMatch) {
       currentSequence = {
         name: sequenceMatch[1],
+        declaration: `sequence ${sequenceMatch[1]}${sequenceMatch[2] || ""}`,
         lines: []
       };
       continue;
     }
-    if (line2 === "end sequence" && currentSequence) {
+    if (lineWithoutComment === "end sequence" && currentSequence) {
       sequences.push({
         name: currentSequence.name,
+        declaration: currentSequence.declaration,
         content: currentSequence.lines.join("\n")
       });
       currentSequence = null;
@@ -108597,6 +108601,88 @@ function getVerifyTlsCertificates() {
   return verifyTlsCertificates;
 }
 
+// src/formUrlEncoded.ts
+function parseEqualsField(segment) {
+  const eqIndex = segment.indexOf("=");
+  if (eqIndex <= 0) {
+    return null;
+  }
+  return {
+    key: segment.substring(0, eqIndex).trim(),
+    value: segment.substring(eqIndex + 1).trim()
+  };
+}
+function isFormUrlEncodedContentType(contentType) {
+  return Boolean(contentType && contentType.toLowerCase().includes("application/x-www-form-urlencoded"));
+}
+function parseFormUrlEncodedLines(lines) {
+  const fields = [];
+  const errors = [];
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
+    const line2 = lines[lineIndex].trim();
+    if (!line2) {
+      continue;
+    }
+    const firstEqIndex = line2.indexOf("=");
+    const firstColonIndex = line2.indexOf(":");
+    if (firstEqIndex > 0 && (firstColonIndex === -1 || firstEqIndex < firstColonIndex)) {
+      if (line2.includes("&")) {
+        const segments = line2.split("&").map((segment) => segment.trim());
+        const hasInvalidSegment = segments.some((segment) => !parseEqualsField(segment));
+        if (hasInvalidSegment) {
+          errors.push({
+            lineIndex,
+            line: line2,
+            message: "Ampersand-delimited form body lines must use key=value for every segment."
+          });
+          continue;
+        }
+        for (const segment of segments) {
+          const field2 = parseEqualsField(segment);
+          if (field2) {
+            fields.push(field2);
+          }
+        }
+        continue;
+      }
+      const field = parseEqualsField(line2);
+      if (field) {
+        fields.push(field);
+        continue;
+      }
+    }
+    if (firstColonIndex > 0) {
+      fields.push({
+        key: line2.substring(0, firstColonIndex).trim(),
+        value: line2.substring(firstColonIndex + 1).trim()
+      });
+      continue;
+    }
+    errors.push({
+      lineIndex,
+      line: line2,
+      message: "Expected key=value, key: value, or ampersand-delimited key=value pairs."
+    });
+  }
+  return { fields, errors };
+}
+function parseFormUrlEncodedBody(body) {
+  if (!body) {
+    return { fields: [], errors: [] };
+  }
+  return parseFormUrlEncodedLines(body.split("\n"));
+}
+function encodeFormUrlEncodedBody(body) {
+  const { fields, errors } = parseFormUrlEncodedBody(body);
+  if (errors.length > 0) {
+    return { encodedBody: "", errors };
+  }
+  return {
+    encodedBody: fields.map((field) => `${encodeURIComponent(field.key)}=${encodeURIComponent(field.value)}`).join("&"),
+    errors: []
+  };
+}
+
 // src/httpClient.ts
 var sharedCookieJar = new CookieJar();
 var insecureHttpsAgent = new https2.Agent({ rejectUnauthorized: false });
@@ -108661,24 +108747,23 @@ async function sendRequestWithJar(request, jar, retryOptions) {
             (key) => key.toLowerCase() === "content-type"
           );
           const contentTypeValue = contentType ? headers[contentType] : "";
-          if (contentTypeValue.includes("application/x-www-form-urlencoded")) {
-            const lines = currentBody.split("\n").map((line2) => line2.trim()).filter((line2) => line2);
-            const params = lines.map((line2) => {
-              if (line2.includes("=")) {
-                const eqIndex = line2.indexOf("=");
-                const key = line2.substring(0, eqIndex).trim();
-                const value = line2.substring(eqIndex + 1).trim();
-                return `${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
-              }
-              const colonIndex = line2.indexOf(":");
-              if (colonIndex > 0) {
-                const key = line2.substring(0, colonIndex).trim();
-                const value = line2.substring(colonIndex + 1).trim();
-                return `${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
-              }
-              return encodeURIComponent(line2);
-            });
-            data = params.join("&");
+          if (isFormUrlEncodedContentType(contentTypeValue)) {
+            const encoded = encodeFormUrlEncodedBody(currentBody);
+            if (encoded.errors.length > 0) {
+              throw new NornError({
+                category: "syntax",
+                code: "invalid-form-urlencoded-body",
+                message: "Request body is not valid application/x-www-form-urlencoded syntax.",
+                details: encoded.errors.map((error) => `Body line ${error.lineIndex + 1}: ${error.message} (${error.line})`),
+                hint: "Use key=value, key: value, or a single line like key1=value1&key2=value2.",
+                context: {
+                  source: "httpClient",
+                  method: currentMethod,
+                  url: currentUrl
+                }
+              });
+            }
+            data = encoded.encodedBody;
           } else if (contentTypeValue.includes("application/json")) {
             try {
               data = JSON.parse(currentBody);
@@ -109333,6 +109418,15 @@ function buildRequestContext(parsed, context) {
     environment: context?.environment
   };
 }
+function getHeaderValueCaseInsensitive(headers, headerName) {
+  const targetName = headerName.toLowerCase();
+  for (const [name, value] of Object.entries(headers)) {
+    if (name.toLowerCase() === targetName) {
+      return value;
+    }
+  }
+  return void 0;
+}
 function describeUnresolvedLocation(label, vars) {
   if (vars.length === 0) {
     return void 0;
@@ -109388,6 +109482,20 @@ function validatePreparedRequest(parsed, context) {
       cause: error
     });
   }
+  const contentType = getHeaderValueCaseInsensitive(parsed.headers, "Content-Type");
+  if (isFormUrlEncodedContentType(contentType)) {
+    const { errors } = parseFormUrlEncodedBody(parsed.body);
+    if (errors.length > 0) {
+      throw new NornError({
+        category: "syntax",
+        code: "invalid-form-urlencoded-body",
+        message: "Request could not be prepared: invalid application/x-www-form-urlencoded body syntax.",
+        details: errors.map((error) => `Body line ${error.lineIndex + 1}: ${error.message} (${error.line})`),
+        hint: "Use key=value, key: value, or a single line like key1=value1&key2=value2.",
+        context: buildRequestContext(parsed, context)
+      });
+    }
+  }
 }
 
 // src/sequenceRunner.ts
@@ -110257,13 +110365,17 @@ function applyHeaderGroupsToRequest(parsed, requestText, headerGroups, variables
   const headerGroupNames = headerGroups.map((hg) => hg.name);
   const headerGroupHeaders = {};
   const foundGroups = [];
+  const cleanedBodyLines = [];
+  let sawRequestLine = false;
+  let inBodySection = false;
   for (const line2 of lines) {
     const trimmed = line2.trim();
     if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("var ")) {
       continue;
     }
     const methodMatch = trimmed.match(/^(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s+(.+)$/i);
-    if (methodMatch) {
+    if (!sawRequestLine && methodMatch) {
+      sawRequestLine = true;
       const afterMethod = methodMatch[2];
       const tokens = afterMethod.split(/\s+/);
       for (let i = tokens.length - 1; i >= 0; i--) {
@@ -110275,18 +110387,22 @@ function applyHeaderGroupsToRequest(parsed, requestText, headerGroups, variables
       }
       continue;
     }
-    if (/^[A-Za-z0-9\-_]+\s*:\s*.+$/.test(trimmed)) {
-      continue;
-    }
-    if (trimmed.startsWith("{") || trimmed.startsWith("[") || trimmed.startsWith('"')) {
+    if (!sawRequestLine) {
       continue;
     }
-    const potentialGroups = trimmed.split(/\s+/);
-    for (const groupName of potentialGroups) {
-      if (headerGroupNames.includes(groupName)) {
-        foundGroups.push(groupName);
+    if (!inBodySection) {
+      if (/^[A-Za-z0-9\-_]+\s*:\s*.+$/.test(trimmed)) {
+        continue;
+      }
+      const potentialGroups = trimmed.split(/\s+/).filter(Boolean);
+      const matchingGroups = potentialGroups.filter((groupName) => headerGroupNames.includes(groupName));
+      if (matchingGroups.length > 0 && matchingGroups.length === potentialGroups.length) {
+        foundGroups.push(...matchingGroups);
+        continue;
       }
+      inBodySection = true;
     }
+    cleanedBodyLines.push(trimmed);
   }
   for (const groupName of foundGroups) {
     const group = headerGroups.find((hg) => hg.name === groupName);
@@ -110303,7 +110419,8 @@ function applyHeaderGroupsToRequest(parsed, requestText, headerGroups, variables
   modifiedUrl = modifiedUrl.trim();
   const result = {
     ...parsed,
-    url: modifiedUrl
+    url: modifiedUrl,
+    body: cleanedBodyLines.length > 0 ? substituteVariables(cleanedBodyLines.join("\n"), variables) : void 0
   };
   if (Object.keys(headerGroupHeaders).length > 0) {
     result.headers = { ...headerGroupHeaders, ...parsed.headers };

package/package.json

@@ -2,7 +2,7 @@
   "name": "norn-cli",
   "displayName": "Norn - REST Client",
   "description": "A powerful REST client for making HTTP requests with sequences, variables, scripts, and cookie support",
-  "version": "1.10.3",
+  "version": "1.10.5",
   "publisher": "Norn-PeterKrustanov",
   "author": {
     "name": "Peter Krastanov"
@@ -386,8 +386,9 @@
     "pretest": "npm run compile-tests && npm run compile && npm run lint",
     "check-types": "tsc --noEmit",
     "lint": "eslint src",
+    "validate:skills": "node ./scripts/validate-skills.mjs",
     "test": "vscode-test",
-    "test:regression": "./tests/Regression/run-all.sh",
+    "test:regression": "node ./dist/cli.js ./tests/Regression/ -e prelive",
     "publish:npm": "node -e \"const p=require('./package.json');p.name='norn-cli';require('fs').writeFileSync('package.json',JSON.stringify(p,null,2))\" && npm publish && node -e \"const p=require('./package.json');p.name='norn';require('fs').writeFileSync('package.json',JSON.stringify(p,null,2))\"",
     "publish:vsce": "node -e \"const p=require('./package.json');p.name='norn';require('fs').writeFileSync('package.json',JSON.stringify(p,null,2))\" && npx vsce publish",
     "publish:all": "npm run publish:npm && npm run publish:vsce"

package/scripts/validate-skills.mjs

@@ -0,0 +1,50 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+import { existsSync, readdirSync, statSync } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+const repoRoot = process.cwd();
+const skillsRoot = path.join(repoRoot, '.github', 'skills');
+const codexHome = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
+const validatorPath = path.join(
+  codexHome,
+  'skills',
+  '.system',
+  'skill-creator',
+  'scripts',
+  'quick_validate.py'
+);
+
+if (!existsSync(skillsRoot)) {
+  console.error(`Skills directory not found: ${skillsRoot}`);
+  process.exit(1);
+}
+
+if (!existsSync(validatorPath)) {
+  console.error(`Skill validator not found: ${validatorPath}`);
+  console.error('Install the Codex skill-creator system skill or set CODEX_HOME correctly.');
+  process.exit(1);
+}
+
+const skillDirs = readdirSync(skillsRoot)
+  .map((name) => path.join(skillsRoot, name))
+  .filter((dir) => statSync(dir).isDirectory() && existsSync(path.join(dir, 'SKILL.md')))
+  .sort();
+
+if (skillDirs.length === 0) {
+  console.log('No skills found to validate.');
+  process.exit(0);
+}
+
+for (const skillDir of skillDirs) {
+  const label = path.relative(repoRoot, skillDir);
+  console.log(`Validating ${label}`);
+  const result = spawnSync('python3', [validatorPath, skillDir], { stdio: 'inherit' });
+  if (result.status !== 0) {
+    process.exit(result.status ?? 1);
+  }
+}
+
+console.log(`Validated ${skillDirs.length} skills.`);