opencode-skills-antigravity 1.0.31 → 1.0.32

package/bundled-skills/.antigravity-install-manifest.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "updatedAt": "2026-03-29T07:05:52.229Z",
+  "updatedAt": "2026-03-29T08:42:42.901Z",
   "entries": [
     ".gitignore",
     "00-andruia-consultant",

package/bundled-skills/docs/contributors/quality-bar.md

@@ -47,6 +47,7 @@ A list of known edge cases or things the skill _cannot_ do.
 If a skill includes command examples, remote fetch steps, secrets, or mutation guidance, the PR must document the risk and pass `npm run security:docs` in addition to normal validation.
 
 For pull requests that add or modify `SKILL.md`, GitHub also runs the automated `skill-review` workflow. Treat that review as part of the normal PR quality gate and address any actionable findings before merge.
+Automated checks are necessary, but they do **not** replace manual reviewer judgment on logic, safety, and likely failure modes.
 
 `npm run security:docs` enforces a repo-wide scan for:
 
@@ -95,5 +96,6 @@ Notes:
 - `npm run audit:skills` is the maintainer-facing compliance/usability report for the full library.
 - `npm run security:docs` is required for command-heavy or risky skill content.
 - PRs that touch `SKILL.md` also get an automated `skill-review` GitHub Actions check.
+- Skill changes and risky guidance still require a manual logic review before merge, even when the automated gates pass.
 - `npm run validate:strict` is a useful hardening pass, but the repository still contains legacy skills that do not yet satisfy strict validation.
 - Examples and limitations remain part of the quality bar even when they are not fully auto-enforced by the current validator.

package/bundled-skills/docs/maintainers/audit.md

@@ -37,6 +37,7 @@ This document summarizes the repository coherence audit performed after the `app
   - missing examples and missing limitations sections,
   - overly long `SKILL.md` files that should probably be split into `references/`,
   - plus the existing structural/safety checks (frontmatter, risk, `When to Use`, offensive disclaimer, dangling links).
+- The report also includes a non-blocking `suggested_risk` for skills that are still marked `unknown` or appear to be misclassified, so maintainers can resolve risk classification during PR review without changing the contributor gate.
 - Use `npm run audit:skills` for the maintainer view and `npm run audit:skills -- --json-out ... --markdown-out ...` when you want artifacts for triage or cleanup tracking.
 
 ### 3. Riferimenti incrociati

package/bundled-skills/docs/maintainers/release-process.md

@@ -75,6 +75,16 @@ npm publish
 Normally this still happens via the existing GitHub release workflow after the GitHub release is published.
 That workflow now reruns `sync:release-state`, refreshes tracked web assets, fails on canonical drift via `git diff --exit-code`, executes tests and docs security checks, builds the web app, and dry-runs the npm package before `npm publish`.
 
+## Canonical Sync Bot
+
+`main` still uses the repository's auto-sync model for canonical generated artifacts, but with a narrow contract:
+
+- PRs stay source-only.
+- After merge, the `main` workflow may commit generated canonical files directly to `main` with `[ci skip]`.
+- The bot commit is only allowed to stage files resolved from `tools/scripts/generated_files.js --include-mixed`.
+- If repo-state sync leaves any unmanaged tracked or untracked drift, the workflow fails instead of pushing a partial fix.
+- The scheduled hygiene workflow follows the same contract and shares the same concurrency group so only one canonical sync writer runs at a time.
+
 ## Rollback Notes
 
 - If the release tag is wrong, delete the tag locally and remotely before republishing.

package/bundled-skills/docx/ooxml/scripts/unpack.py

@@ -2,22 +2,47 @@
 """Unpack and format XML contents of Office files (.docx, .pptx, .xlsx)"""
 
 import random
+import shutil
+import stat
 import sys
 import zipfile
 from pathlib import Path
 
 
+def _is_zip_symlink(member: zipfile.ZipInfo) -> bool:
+    return stat.S_ISLNK(member.external_attr >> 16)
+
+
+def _is_safe_destination(output_root: Path, member_name: str) -> bool:
+    destination = output_root / member_name
+    return destination.resolve().is_relative_to(output_root.resolve())
+
+
+def _extract_member(archive: zipfile.ZipFile, member: zipfile.ZipInfo, output_root: Path):
+    destination = output_root / member.filename
+    if member.is_dir():
+        destination.mkdir(parents=True, exist_ok=True)
+        return
+
+    destination.parent.mkdir(parents=True, exist_ok=True)
+    with archive.open(member, "r") as source, open(destination, "wb") as target:
+        shutil.copyfileobj(source, target)
+
+
 def extract_archive_safely(input_file: str | Path, output_dir: str | Path):
     output_path = Path(output_dir)
     output_path.mkdir(parents=True, exist_ok=True)
+    output_root = output_path.resolve()
 
     with zipfile.ZipFile(input_file) as archive:
         for member in archive.infolist():
-            destination = output_path / member.filename
-            if not destination.resolve().is_relative_to(output_path.resolve()):
+            if _is_zip_symlink(member):
+                raise ValueError(f"Unsafe archive entry: {member.filename}")
+            if not _is_safe_destination(output_root, member.filename):
                 raise ValueError(f"Unsafe archive entry: {member.filename}")
 
-        archive.extractall(output_path)
+        for member in archive.infolist():
+            _extract_member(archive, member, output_path)
 
 
 def pretty_print_xml(output_path: Path):

package/bundled-skills/docx-official/ooxml/scripts/unpack.py

@@ -2,22 +2,47 @@
 """Unpack and format XML contents of Office files (.docx, .pptx, .xlsx)"""
 
 import random
+import shutil
+import stat
 import sys
 import zipfile
 from pathlib import Path
 
 
+def _is_zip_symlink(member: zipfile.ZipInfo) -> bool:
+    return stat.S_ISLNK(member.external_attr >> 16)
+
+
+def _is_safe_destination(output_root: Path, member_name: str) -> bool:
+    destination = output_root / member_name
+    return destination.resolve().is_relative_to(output_root.resolve())
+
+
+def _extract_member(archive: zipfile.ZipFile, member: zipfile.ZipInfo, output_root: Path):
+    destination = output_root / member.filename
+    if member.is_dir():
+        destination.mkdir(parents=True, exist_ok=True)
+        return
+
+    destination.parent.mkdir(parents=True, exist_ok=True)
+    with archive.open(member, "r") as source, open(destination, "wb") as target:
+        shutil.copyfileobj(source, target)
+
+
 def extract_archive_safely(input_file: str | Path, output_dir: str | Path):
     output_path = Path(output_dir)
     output_path.mkdir(parents=True, exist_ok=True)
+    output_root = output_path.resolve()
 
     with zipfile.ZipFile(input_file) as archive:
         for member in archive.infolist():
-            destination = output_path / member.filename
-            if not destination.resolve().is_relative_to(output_path.resolve()):
+            if _is_zip_symlink(member):
+                raise ValueError(f"Unsafe archive entry: {member.filename}")
+            if not _is_safe_destination(output_root, member.filename):
                 raise ValueError(f"Unsafe archive entry: {member.filename}")
 
-        archive.extractall(output_path)
+        for member in archive.infolist():
+            _extract_member(archive, member, output_path)
 
 
 def pretty_print_xml(output_path: Path):

package/bundled-skills/pptx/ooxml/scripts/unpack.py

@@ -2,22 +2,47 @@
 """Unpack and format XML contents of Office files (.docx, .pptx, .xlsx)"""
 
 import random
+import shutil
+import stat
 import sys
 import zipfile
 from pathlib import Path
 
 
+def _is_zip_symlink(member: zipfile.ZipInfo) -> bool:
+    return stat.S_ISLNK(member.external_attr >> 16)
+
+
+def _is_safe_destination(output_root: Path, member_name: str) -> bool:
+    destination = output_root / member_name
+    return destination.resolve().is_relative_to(output_root.resolve())
+
+
+def _extract_member(archive: zipfile.ZipFile, member: zipfile.ZipInfo, output_root: Path):
+    destination = output_root / member.filename
+    if member.is_dir():
+        destination.mkdir(parents=True, exist_ok=True)
+        return
+
+    destination.parent.mkdir(parents=True, exist_ok=True)
+    with archive.open(member, "r") as source, open(destination, "wb") as target:
+        shutil.copyfileobj(source, target)
+
+
 def extract_archive_safely(input_file: str | Path, output_dir: str | Path):
     output_path = Path(output_dir)
     output_path.mkdir(parents=True, exist_ok=True)
+    output_root = output_path.resolve()
 
     with zipfile.ZipFile(input_file) as archive:
         for member in archive.infolist():
-            destination = output_path / member.filename
-            if not destination.resolve().is_relative_to(output_path.resolve()):
+            if _is_zip_symlink(member):
+                raise ValueError(f"Unsafe archive entry: {member.filename}")
+            if not _is_safe_destination(output_root, member.filename):
                 raise ValueError(f"Unsafe archive entry: {member.filename}")
 
-        archive.extractall(output_path)
+        for member in archive.infolist():
+            _extract_member(archive, member, output_path)
 
 
 def pretty_print_xml(output_path: Path):

package/bundled-skills/pptx-official/ooxml/scripts/unpack.py

@@ -2,22 +2,47 @@
 """Unpack and format XML contents of Office files (.docx, .pptx, .xlsx)"""
 
 import random
+import shutil
+import stat
 import sys
 import zipfile
 from pathlib import Path
 
 
+def _is_zip_symlink(member: zipfile.ZipInfo) -> bool:
+    return stat.S_ISLNK(member.external_attr >> 16)
+
+
+def _is_safe_destination(output_root: Path, member_name: str) -> bool:
+    destination = output_root / member_name
+    return destination.resolve().is_relative_to(output_root.resolve())
+
+
+def _extract_member(archive: zipfile.ZipFile, member: zipfile.ZipInfo, output_root: Path):
+    destination = output_root / member.filename
+    if member.is_dir():
+        destination.mkdir(parents=True, exist_ok=True)
+        return
+
+    destination.parent.mkdir(parents=True, exist_ok=True)
+    with archive.open(member, "r") as source, open(destination, "wb") as target:
+        shutil.copyfileobj(source, target)
+
+
 def extract_archive_safely(input_file: str | Path, output_dir: str | Path):
     output_path = Path(output_dir)
     output_path.mkdir(parents=True, exist_ok=True)
+    output_root = output_path.resolve()
 
     with zipfile.ZipFile(input_file) as archive:
         for member in archive.infolist():
-            destination = output_path / member.filename
-            if not destination.resolve().is_relative_to(output_path.resolve()):
+            if _is_zip_symlink(member):
+                raise ValueError(f"Unsafe archive entry: {member.filename}")
+            if not _is_safe_destination(output_root, member.filename):
                 raise ValueError(f"Unsafe archive entry: {member.filename}")
 
-        archive.extractall(output_path)
+        for member in archive.infolist():
+            _extract_member(archive, member, output_path)
 
 
 def pretty_print_xml(output_path: Path):

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-antigravity",
-  "version": "1.0.31",
+  "version": "1.0.32",
   "description": "OpenCode CLI plugin that automatically downloads and keeps Antigravity Awesome Skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",