npm - opencode-gitlab-dap - Versions diffs - 1.16.5 → 1.17.0 - Mend

opencode-gitlab-dap 1.16.5 → 1.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -3891,7 +3891,16 @@ function searchSkillsSh(query) {
 function downloadSkillFromSkillsSh(identifier) {
   const tmp = mkdtempSync(join2(tmpdir(), "skill-install-"));
   try {
-    execSync(`npx skills add ${JSON.stringify(identifier)} -y --copy`, {
+    const atIdx = identifier.indexOf("@");
+    let cmd;
+    if (atIdx !== -1) {
+      const repo = identifier.slice(0, atIdx);
+      const skill = identifier.slice(atIdx + 1);
+      cmd = `npx skills add ${JSON.stringify(repo)} --skill ${JSON.stringify(skill)} -y --copy`;
+    } else {
+      cmd = `npx skills add ${JSON.stringify(identifier)} -y --copy`;
+    }
+    execSync(cmd, {
       timeout: 6e4,
       cwd: tmp,
       encoding: "utf-8",
@@ -3944,6 +3953,73 @@ function downloadSkillFromSkillsSh(identifier) {
   }
 }
+// src/tools/skill-audit.ts
+var PROVIDER_NAMES = {
+  "agent-trust-hub": "Gen Agent Trust Hub",
+  socket: "Socket",
+  snyk: "Snyk"
+};
+function parseIdentifierToUrl(identifier) {
+  const atIdx = identifier.indexOf("@");
+  if (atIdx === -1) return null;
+  const ownerRepo = identifier.slice(0, atIdx);
+  const skillName = identifier.slice(atIdx + 1);
+  if (!ownerRepo.includes("/") || !skillName) return null;
+  return `https://skills.sh/${ownerRepo}/${skillName}`;
+}
+function parseAuditHtml(html, auditUrl) {
+  const secIdx = html.indexOf("Security Audits");
+  if (secIdx === -1) return null;
+  const section = html.slice(secIdx, secIdx + 5e3);
+  const providerPattern = /href="[^"]*\/security\/(agent-trust-hub|socket|snyk)"[\s\S]*?>(Pass|Fail|Warn)</g;
+  const results = [];
+  let match;
+  while ((match = providerPattern.exec(section)) !== null) {
+    const slug = match[1];
+    const status = match[2];
+    results.push({
+      provider: PROVIDER_NAMES[slug] ?? slug,
+      status,
+      detailUrl: `${auditUrl}/security/${slug}`
+    });
+  }
+  if (results.length === 0) return null;
+  return {
+    results,
+    hasFailure: results.some((r) => r.status === "Fail"),
+    hasWarning: results.some((r) => r.status === "Warn"),
+    auditUrl
+  };
+}
+async function fetchSkillAudit(identifier) {
+  const url = parseIdentifierToUrl(identifier);
+  if (!url) return null;
+  try {
+    const resp = await fetch(url, {
+      signal: AbortSignal.timeout(1e4),
+      headers: { Accept: "text/html" }
+    });
+    if (!resp.ok) return null;
+    const html = await resp.text();
+    return parseAuditHtml(html, url);
+  } catch {
+    return null;
+  }
+}
+function formatAuditLine(audit) {
+  return audit.results.map((r) => {
+    const icon = r.status === "Fail" ? "\u{1F534}" : r.status === "Warn" ? "\u{1F7E1}" : "\u{1F7E2}";
+    return `${icon} ${r.provider}: ${r.status}`;
+  }).join(" | ");
+}
+function formatAuditRate(audit) {
+  const total = audit.results.length;
+  const passed = audit.results.filter((r) => r.status === "Pass").length;
+  if (passed === total) return `Security: ${passed}/${total} audits passed \u2705`;
+  if (audit.hasFailure) return `Security: ${passed}/${total} audits passed \u274C`;
+  return `Security: ${passed}/${total} audits passed \u26A0\uFE0F`;
+}
 // src/tools/skill-tools.ts
 var z6 = tool6.schema;
 var PROJECT_ID_DESC2 = "Project path from git remote";
@@ -4228,14 +4304,32 @@ Install: \`gitlab_skill_install(name="${e.name}", source="group", group_id="${ar
         }
         const shResults = searchSkillsSh(args.query);
         if (shResults.length > 0) {
+          const audits = await Promise.all(shResults.map((r) => fetchSkillAudit(r.identifier)));
           sections.push(
             `### skills.sh (${shResults.length})
-` + shResults.map(
-              (r) => `**${r.identifier}** (${r.installs})
+` + shResults.map((r, i) => {
+              const audit = audits[i];
+              let line = `**${r.identifier}** (${r.installs})`;
+              if (audit) {
+                line += `
+${formatAuditRate(audit)}`;
+                line += `
+${formatAuditLine(audit)}`;
+                if (audit.hasFailure) {
+                  line += `
+\u26D4 BLOCKED \u2014 security audit failures detected. Review: ${audit.auditUrl}`;
+                  return line;
+                }
+              } else {
+                line += `
+Security: unknown (audit data unavailable)`;
+              }
+              line += `
 ${r.url}
-Install: \`gitlab_skill_install(name="${r.identifier}", source="skills.sh")\``
-            ).join("\n\n")
+Install: \`gitlab_skill_install(name="${r.identifier}", source="skills.sh")\``;
+              return line;
+            }).join("\n\n")
           );
         }
         if (sections.length === 0) {
@@ -4258,6 +4352,14 @@ Install: \`gitlab_skill_install(name="${r.identifier}", source="skills.sh")\``
         const projectScope = resolveScope2(args);
         const targetPrefix = args.draft ? DRAFTS_PREFIX : SKILLS_PREFIX;
         if (args.source === "skills.sh") {
+          const audit = await fetchSkillAudit(args.name);
+          if (audit?.hasFailure) {
+            const failures = audit.results.filter((r) => r.status === "Fail").map((r) => `  \u{1F534} ${r.provider}: Fail (${r.detailUrl})`).join("\n");
+            return `\u26D4 Installation BLOCKED \u2014 security audit failure(s) detected:
+${failures}
+Review the audit details before proceeding: ${audit.auditUrl}`;
+          }
           const downloaded = downloadSkillFromSkillsSh(args.name);
           if (!downloaded) {
             return `Failed to download skill "${args.name}" from skills.sh.`;
@@ -4309,7 +4411,19 @@ Install: \`gitlab_skill_install(name="${r.identifier}", source="skills.sh")\``
             }
             const parts = [`${wikiCount} wiki page(s)`];
             if (hasBundle) parts.push(`${scriptFiles.length} bundled script(s)`);
-            return `Installed skill "${downloaded.name}" from skills.sh. ${parts.join(", ")}. Use gitlab_skill_setup to extract scripts.`;
+            let result = `Installed skill "${downloaded.name}" from skills.sh. ${parts.join(", ")}. Use gitlab_skill_setup to extract scripts.`;
+            if (audit?.hasWarning) {
+              const warnings = audit.results.filter((r) => r.status === "Warn").map((r) => `  \u26A0\uFE0F ${r.provider}: Warn (${r.detailUrl})`).join("\n");
+              result += `
+\u26A0\uFE0F Security audit warnings:
+${warnings}`;
+            } else if (!audit) {
+              result += `
+(security audit data unavailable \u2014 skills.sh may be unreachable)`;
+            }
+            return result;
           } catch (err) {
             return `Error installing from skills.sh: ${err.message}`;
           }