reskill 1.16.0-beta.1 → 1.17.0

package/dist/cli/index.js

@@ -3473,6 +3473,7 @@ class RegistryClient {
         formData.append('metadata', JSON.stringify(metadata));
         if (payload.skillMd?.allowedTools) formData.append('allowed_tools', payload.skillMd.allowedTools.join(' '));
         if (options.tag) formData.append('tag', options.tag);
+        if (options.groupPath) formData.append('group_path', options.groupPath);
         // Append tarball as Blob
         const tarballBlob = new Blob([
             tarball
@@ -3490,6 +3491,186 @@ class RegistryClient {
         if (!response.ok) throw new RegistryError(data.error || `Publish failed: ${response.status}`, response.status, data);
         return data;
     }
+    // ============================================================================
+    // Group Methods
+    // ============================================================================
+    /**
+   * Resolve a human-readable group path to its details.
+   *
+   * @param groupPath - Human-readable path (e.g., "kanyun/frontend")
+   * @returns Group detail with current_user_role if authenticated
+   * @throws RegistryError if not found or request failed
+   */ async resolveGroup(groupPath) {
+        const params = new URLSearchParams({
+            path: groupPath
+        });
+        const url = `${this.getApiBase()}/skill-groups/resolve?${params.toString()}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Group not found: ${groupPath}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * List groups visible to the current user.
+   *
+   * @param options - Filter options (parent_id, visibility)
+   * @returns Array of groups
+   */ async listGroups(options = {}) {
+        const params = new URLSearchParams();
+        if (options.parentId) params.set('parent_id', options.parentId);
+        if (options.visibility) params.set('visibility', options.visibility);
+        if (options.flat) params.set('flat', 'true');
+        const qs = params.toString();
+        const url = `${this.getApiBase()}/skill-groups${qs ? `?${qs}` : ''}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to list groups: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Create a new skill group.
+   *
+   * @param input - Group creation parameters
+   * @returns Created group
+   */ async createGroup(input) {
+        const url = `${this.getApiBase()}/skill-groups`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify(input)
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to create group: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Delete a skill group.
+   *
+   * @param groupId - Group UUID
+   * @param dryRun - If true, only preview what would be deleted
+   * @returns Deletion result (affected skills count in dry-run mode)
+   */ async deleteGroup(groupId, dryRun = false) {
+        const params = dryRun ? '?dry_run=true' : '';
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}${params}`;
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to delete group: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * List members of a group.
+   *
+   * @param groupId - Group UUID
+   * @returns Array of members
+   */ async listGroupMembers(groupId) {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to list members: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Add members to a group.
+   *
+   * @param groupId - Group UUID
+   * @param userIds - Array of user IDs to add
+   * @param role - Role to assign (defaults to 'developer')
+   */ async addGroupMembers(groupId, userIds, role = 'developer') {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({
+                user_ids: userIds,
+                role
+            })
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to add members: ${response.status}`, response.status, data);
+        }
+    }
+    /**
+   * Remove a member from a group.
+   *
+   * @param groupId - Group UUID
+   * @param userId - User ID to remove
+   */ async removeGroupMember(groupId, userId) {
+        const params = new URLSearchParams({
+            user_id: userId
+        });
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members?${params.toString()}`;
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to remove member: ${response.status}`, response.status, data);
+        }
+    }
+    /**
+   * Update a member's role in a group.
+   *
+   * @param groupId - Group UUID
+   * @param userId - User ID to update
+   * @param role - New role to assign
+   */ async updateGroupMemberRole(groupId, userId, role) {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'PATCH',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({
+                user_id: userId,
+                role
+            })
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to update member role: ${response.status}`, response.status, data);
+        }
+    }
 }
 /**
  * Tarball Extractor (Step 3.6)
@@ -4784,15 +4965,15 @@ class RegistryResolver {
     /**
    * Install a web-published skill.
    *
-   * Web-published skills do not support versioning. Branches to different
+   * Web-published skills (except local) do not support versioning. Branches to different
    * installation logic based on source_type:
    * - github/gitlab: reuses installToAgentsFromGit
    * - oss_url/custom_url: reuses installToAgentsFromHttp
    * - local: downloads tarball via Registry API
    */ async installFromWebPublished(skillInfo, parsed, targetAgents, options = {}) {
         const { source_type, source_url } = skillInfo;
-        // Web-published skills do not support version specifiers
-        if (parsed.version && 'latest' !== parsed.version) throw new Error(`Version specifier not supported for web-published skills.\n'${parsed.fullName}' was published via web and does not support versioning.\nUse: reskill install ${parsed.fullName}`);
+        // Web-published skills (except local) do not support version specifiers
+        if ('local' !== source_type && parsed.version && 'latest' !== parsed.version) throw new Error(`Version specifier not supported for web-published skills.\n'${parsed.fullName}' was published via web and does not support versioning.\nUse: reskill install ${parsed.fullName}`);
         if (!source_url) throw new Error(`Missing source_url for web-published skill: ${parsed.fullName}`);
         logger_logger["package"](`Installing ${parsed.fullName} from ${source_type} source...`);
         // Build registry context so downstream methods use the registry name
@@ -4883,12 +5064,13 @@ class RegistryResolver {
         const { save = true, mode = 'symlink' } = options;
         const registryUrl = await this.resolveRegistryUrl(parsed.fullName, options.registry);
         const shortName = getShortName(parsed.fullName);
-        const version = 'latest';
-        // Download tarball via RegistryClient (handles auth + 302 redirect to signed URL)
+        // Resolve version via dist-tags (supports @latest, @1.0.0, etc.)
         const client = new RegistryClient({
             registry: registryUrl,
             token: options.token
         });
+        const version = await client.resolveVersion(parsed.fullName, parsed.version);
+        // Download tarball via RegistryClient (handles auth + 302 redirect to signed URL)
         const { tarball } = await client.downloadSkill(parsed.fullName, version);
         logger_logger["package"](`Installing ${shortName} from ${registryUrl} to ${targetAgents.length} agent(s)...`);
         // Extract tarball to temp directory (clean stale files first)
@@ -6420,113 +6602,513 @@ class AuthManager {
 // ============================================================================
 const findCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('find').alias('search').description('Search for skills in the registry').argument('<query>', 'Search query').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-l, --limit <n>', 'Maximum number of results', '10').option('-j, --json', 'Output as JSON').action(findAction);
 /**
- * info command - Show skill details
- */ const infoCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('info').description('Show skill details').argument('<skill>', 'Skill name').option('-j, --json', 'Output as JSON').action((skillName, options)=>{
-    const skillManager = new SkillManager();
-    const info = skillManager.getInfo(skillName);
-    if (options.json) {
-        console.log(JSON.stringify(info, null, 2));
-        return;
+ * Group path utilities — normalization, slug generation, and validation.
+ *
+ * Shared by the `group` and `publish` CLI commands.
+ */ const SLUG_REGEX = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+const MAX_GROUP_DEPTH = 3;
+const MAX_SEGMENT_LENGTH = 64;
+/**
+ * Normalize a group path for API usage.
+ *
+ * Rules from spec §13.2:
+ * - Strip leading/trailing slashes and whitespace
+ * - Collapse consecutive slashes
+ * - Lowercase
+ */ function normalizeGroupPath(raw) {
+    return raw.trim().replace(/\/+/g, '/').replace(/^\/|\/$/g, '').toLowerCase();
+}
+/**
+ * Generate a URL-safe slug from a human-readable name.
+ *
+ * Spec §13.4:
+ * - Lowercase, trim, replace spaces/underscores with hyphens
+ * - Strip non-alphanumeric characters (except hyphens)
+ * - Collapse consecutive hyphens, strip leading/trailing hyphens
+ * - Truncate to MAX_SEGMENT_LENGTH characters
+ */ function generateSlug(name) {
+    return name.toLowerCase().trim().replace(/[\s_]+/g, '-').replace(/[^a-z0-9-]/g, '').replace(/-+/g, '-').replace(/^-|-$/g, '').slice(0, MAX_SEGMENT_LENGTH).replace(/-$/g, '');
+}
+/**
+ * Validate a normalized group path.
+ *
+ * Spec §13.2:
+ * - Segment slug must match SLUG_REGEX
+ * - Segment length <= 64
+ * - Max depth <= 3
+ */ function validateGroupPath(path) {
+    if (!path) return {
+        valid: false,
+        error: 'Group path cannot be empty'
+    };
+    const segments = path.split('/');
+    if (segments.length > MAX_GROUP_DEPTH) return {
+        valid: false,
+        error: `Group path depth cannot exceed ${MAX_GROUP_DEPTH} segments`
+    };
+    for (const segment of segments){
+        if (segment.length > MAX_SEGMENT_LENGTH) return {
+            valid: false,
+            error: `Group path segment "${segment}" exceeds ${MAX_SEGMENT_LENGTH} characters`
+        };
+        if (!SLUG_REGEX.test(segment)) return {
+            valid: false,
+            error: `Invalid group path segment "${segment}". Segments must match ${SLUG_REGEX}`
+        };
     }
-    if (!info.installed && !info.config) {
-        logger_logger.error(`Skill ${skillName} not found`);
+    return {
+        valid: true
+    };
+}
+/**
+ * group command - Manage skill groups
+ *
+ * Provides subcommands for listing, creating, inspecting, and deleting
+ * skill groups, as well as managing group membership.
+ *
+ * Usage:
+ *   reskill group list                           # List visible groups
+ *   reskill group create <name>                  # Create a group
+ *   reskill group info <path>                    # Show group details
+ *   reskill group delete <path>                  # Delete a group
+ *   reskill group member list <path>             # List members
+ *   reskill group member add <path> <users...>   # Add members
+ *   reskill group member remove <path> <user>    # Remove a member
+ *   reskill group member role <path> <user> <role> # Change member role
+ */ // ============================================================================
+// Constants
+// ============================================================================
+const VALID_ROLES = [
+    'owner',
+    'maintainer',
+    'developer'
+];
+/**
+ * Validate that a role string is one of the allowed values.
+ */ function validateRole(role) {
+    return VALID_ROLES.includes(role);
+}
+function assertValidGroupPath(path) {
+    const validation = validateGroupPath(path);
+    if (!validation.valid) {
+        logger_logger.error(validation.error);
         process.exit(1);
     }
-    logger_logger.log(`Skill: ${skillName}`);
-    logger_logger.newline();
-    if (info.config) {
-        logger_logger.log("Configuration (skills.json):");
-        logger_logger.log(`  Reference: ${info.config}`);
-    }
-    if (info.locked) {
-        logger_logger.log("Locked Version (skills.lock):");
-        logger_logger.log(`  Version: ${info.locked.version}`);
-        logger_logger.log(`  Source: ${info.locked.source}`);
-        logger_logger.log(`  Commit: ${info.locked.commit}`);
-        logger_logger.log(`  Installed: ${info.locked.installedAt}`);
-    }
-    if (info.installed) {
-        logger_logger.log("Installed:");
-        logger_logger.log(`  Path: ${info.installed.path}`);
-        logger_logger.log(`  Version: ${info.installed.version}`);
-        logger_logger.log(`  Linked: ${info.installed.isLinked ? 'Yes' : 'No'}`);
-        if (info.installed.metadata) {
-            const meta = info.installed.metadata;
-            logger_logger.log("Metadata (SKILL.md):");
-            if (meta.description) logger_logger.log(`  Description: ${meta.description}`);
-            if (meta.author) logger_logger.log(`  Author: ${meta.author}`);
-            if (meta.license) logger_logger.log(`  License: ${meta.license}`);
-            if (meta.keywords?.length) logger_logger.log(`  Keywords: ${meta.keywords.join(', ')}`);
-        }
-    } else logger_logger.warn(`Skill ${skillName} is not installed`);
-});
+}
 // ============================================================================
-// Constants
+// Client Factory
 // ============================================================================
-const DEFAULT_INSTALL_DIR = '.skills';
+function createClient(registry) {
+    const authManager = new AuthManager();
+    const token = authManager.getToken(registry);
+    if (!token) {
+        logger_logger.error('Authentication required');
+        logger_logger.newline();
+        logger_logger.log("Run 'reskill login' to authenticate.");
+        process.exit(1);
+    }
+    return new RegistryClient({
+        registry,
+        token
+    });
+}
 // ============================================================================
-// Helper Functions
+// Display Helpers
 // ============================================================================
-/**
- * Display configuration summary after initialization
- */ function displayConfigSummary(installDir) {
-    logger_logger.success('Created skills.json');
+function getGroupIndentLevel(group) {
+    if ('number' == typeof group.level && Number.isFinite(group.level)) return Math.max(0, group.level - 1);
+    return Math.max(0, group.path.split('/').length - 1);
+}
+function displayGroupList(groups, json, tree = false) {
+    if (json) {
+        console.log(JSON.stringify(groups, null, 2));
+        return;
+    }
+    if (0 === groups.length) {
+        logger_logger.warn('No groups found');
+        return;
+    }
     logger_logger.newline();
-    logger_logger.log('Configuration:');
-    logger_logger.log(`  Install directory: ${installDir}`);
+    logger_logger.log(`Found ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(String(groups.length))} group${1 === groups.length ? '' : 's'}:`);
+    logger_logger.newline();
+    if (tree) {
+        const sortedGroups = [
+            ...groups
+        ].sort((a, b)=>a.path.localeCompare(b.path));
+        for (const group of sortedGroups){
+            const vis = 'private' === group.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow(' (private)') : '';
+            const desc = group.description ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(` - ${group.description}`) : '';
+            const indent = '  '.repeat(getGroupIndentLevel(group));
+            const nodeLabel = group.path.split('/').pop() || group.path;
+            logger_logger.log(`  ${indent}└─ ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold.cyan(nodeLabel)}${vis}${desc} ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(`(${group.path})`)}`);
+        }
+        logger_logger.newline();
+        return;
+    }
+    for (const group of groups){
+        const vis = 'private' === group.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow(' (private)') : '';
+        const desc = group.description ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(` - ${group.description}`) : '';
+        logger_logger.log(`  ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold.cyan(group.path)}${vis}${desc}`);
+        const meta = [];
+        if (void 0 !== group.skill_count) meta.push(`${group.skill_count} skill(s)`);
+        if (void 0 !== group.member_count) meta.push(`${group.member_count} member(s)`);
+        if (meta.length > 0) logger_logger.log(`    ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(meta.join(' · '))}`);
+    }
     logger_logger.newline();
-    logger_logger.log('Next steps:');
-    logger_logger.log('  reskill install <skill>  Install a skill');
-    logger_logger.log('  reskill list             List installed skills');
 }
-// ============================================================================
-// Command Definition
-// ============================================================================
-/**
- * init command - Initialize skills.json configuration
- *
- * Creates a new skills.json file in the current directory with default settings.
- * Will not overwrite an existing skills.json file.
- *
- * @example
- * ```bash
- * # Initialize with defaults
- * reskill init
- *
- * # Initialize with custom install directory
- * reskill init -d my-skills
- *
- * # Skip prompts (for CI/scripts)
- * reskill init -y
- * ```
- */ const initCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('init').description('Initialize a new skills.json configuration').option('-d, --install-dir <dir>', 'Skills installation directory', DEFAULT_INSTALL_DIR).option('-y, --yes', 'Skip prompts and use defaults').action((options)=>{
-    const configLoader = new ConfigLoader();
-    // Check if configuration already exists
-    if (configLoader.exists()) {
-        logger_logger.warn('skills.json already exists');
+function displayGroupDetail(detail, json) {
+    if (json) {
+        console.log(JSON.stringify(detail, null, 2));
         return;
     }
-    // Create new configuration
-    configLoader.create({
-        defaults: {
-            installDir: options.installDir
-        }
-    });
-    // Display summary (use options.installDir directly since we just set it)
-    displayConfigSummary(options.installDir);
-});
+    logger_logger.newline();
+    logger_logger.log(`${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(detail.name)} ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(`(${detail.path})`)}`);
+    if (detail.description) logger_logger.log(`  ${detail.description}`);
+    logger_logger.newline();
+    const vis = 'private' === detail.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow('private') : __WEBPACK_EXTERNAL_MODULE_chalk__["default"].green('public');
+    logger_logger.log(`  Visibility:  ${vis}`);
+    logger_logger.log(`  Level:       ${detail.level}`);
+    if (void 0 !== detail.skill_count) logger_logger.log(`  Skills:      ${detail.skill_count}`);
+    if (void 0 !== detail.member_count) logger_logger.log(`  Members:     ${detail.member_count}`);
+    if (detail.current_user_role) logger_logger.log(`  Your role:   ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(detail.current_user_role)}`);
+    if (detail.children && detail.children.length > 0) {
+        logger_logger.newline();
+        logger_logger.log('  Sub groups:');
+        for (const child of detail.children)logger_logger.log(`    • ${child.path}`);
+    }
+    logger_logger.newline();
+}
+function displayMemberList(members, groupPath, json) {
+    if (json) {
+        console.log(JSON.stringify(members, null, 2));
+        return;
+    }
+    if (0 === members.length) {
+        logger_logger.warn(`No members in group "${groupPath}"`);
+        return;
+    }
+    logger_logger.newline();
+    logger_logger.log(`${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(String(members.length))} member${1 === members.length ? '' : 's'} in ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(groupPath)}:`);
+    logger_logger.newline();
+    for (const member of members){
+        const role = __WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(member.role);
+        const handle = member.handle || member.user_id;
+        logger_logger.log(`  ${handle}  ${role}`);
+    }
+    logger_logger.newline();
+}
 // ============================================================================
-// Utility Functions
+// Subcommand Actions
 // ============================================================================
-/**
- * Format agent names list for display
- * Truncates long lists with "+N more" suffix
- */ function formatAgentNames(agentTypes, maxShow = 5) {
-    const names = agentTypes.map((a)=>agents[a].displayName);
-    if (names.length <= maxShow) return names.join(', ');
-    const shown = names.slice(0, maxShow);
-    const remaining = names.length - maxShow;
-    return `${shown.join(', ')} +${remaining} more`;
+async function listAction(options) {
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const groups = await client.listGroups({
+            flat: Boolean(options.tree)
+        });
+        displayGroupList(groups, options.json || false, Boolean(options.tree));
+    } catch (error) {
+        logger_logger.error(`Failed to list groups: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function createAction(name, options) {
+    const registry = resolveRegistry(options.registry);
+    const slug = generateSlug(name);
+    if (!slug) {
+        logger_logger.error('Name must contain at least one ASCII alphanumeric character to generate a valid slug');
+        process.exit(1);
+    }
+    if (!SLUG_REGEX.test(slug)) {
+        logger_logger.error(`Generated slug "${slug}" is invalid. Name must produce a slug matching ${SLUG_REGEX.source}`);
+        process.exit(1);
+    }
+    let parentId;
+    let client;
+    if (options.parent) {
+        const normalizedParent = normalizeGroupPath(options.parent);
+        assertValidGroupPath(normalizedParent);
+        client = createClient(registry);
+        try {
+            const parentGroup = await client.resolveGroup(normalizedParent);
+            parentId = parentGroup.id;
+        } catch (error) {
+            if (error instanceof RegistryError) logger_logger.error(`Parent group "${options.parent}" not found`);
+            else logger_logger.error(`Failed to resolve parent: ${error.message}`);
+            process.exit(1);
+        }
+    }
+    try {
+        const ensuredClient = client ?? createClient(registry);
+        const group = await ensuredClient.createGroup({
+            name,
+            slug,
+            description: options.description,
+            visibility: options.visibility,
+            parent_id: parentId
+        });
+        if (options.json) console.log(JSON.stringify(group, null, 2));
+        else {
+            logger_logger.newline();
+            logger_logger.success(`Group created: ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(group.path)}`);
+            logger_logger.log(`  ID:         ${group.id}`);
+            logger_logger.log(`  Visibility: ${group.visibility}`);
+            logger_logger.newline();
+        }
+    } catch (error) {
+        logger_logger.error(`Failed to create group: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function infoAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        displayGroupDetail(detail, options.json || false);
+    } catch (error) {
+        if (error instanceof RegistryError) {
+            if (404 === error.statusCode) logger_logger.error(`Group "${groupPath}" not found`);
+            else logger_logger.error(`Failed to get group info: ${error.message}`);
+        } else logger_logger.error(`Failed to get group info: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function deleteAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        if (options.dryRun) {
+            const result = await client.deleteGroup(detail.id, true);
+            logger_logger.newline();
+            logger_logger.log(`Dry run: deleting group "${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(groupPath)}"`);
+            if (void 0 !== result.affected_skills) logger_logger.log(`  Affected skills: ${result.affected_skills}`);
+            logger_logger.log('No changes made (--dry-run)');
+            logger_logger.newline();
+            return;
+        }
+        if (!options.yes) {
+            const { createInterface } = await import("node:readline");
+            const rl = createInterface({
+                input: process.stdin,
+                output: process.stdout
+            });
+            const answer = await new Promise((resolve)=>{
+                rl.question(`\n? Delete group "${groupPath}" and all its contents? (y/N) `, resolve);
+                rl.once('close', ()=>resolve(''));
+            });
+            rl.close();
+            if ('y' !== answer.trim().toLowerCase() && 'yes' !== answer.trim().toLowerCase()) {
+                logger_logger.log('Cancelled.');
+                return;
+            }
+        }
+        await client.deleteGroup(detail.id, false);
+        logger_logger.success(`Group "${groupPath}" deleted`);
+    } catch (error) {
+        if (error instanceof RegistryError) {
+            if (404 === error.statusCode) logger_logger.error(`Group "${groupPath}" not found`);
+            else logger_logger.error(`Failed to delete group: ${error.message}`);
+        } else logger_logger.error(`Failed to delete group: ${error.message}`);
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Member Subcommand Actions
+// ============================================================================
+async function memberListAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        const members = await client.listGroupMembers(detail.id);
+        displayMemberList(members, groupPath, options.json || false);
+    } catch (error) {
+        logger_logger.error(`Failed to list members: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberAddAction(groupPath, userIds, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    const role = options.role || 'developer';
+    if (!validateRole(role)) {
+        logger_logger.error(`Invalid role "${role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        process.exit(1);
+    }
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.addGroupMembers(detail.id, userIds, role);
+        logger_logger.success(`Added ${userIds.length} member(s) to "${groupPath}" as ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(role)}`);
+    } catch (error) {
+        logger_logger.error(`Failed to add members: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberRemoveAction(groupPath, userId, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.removeGroupMember(detail.id, userId);
+        logger_logger.success(`Removed "${userId}" from "${groupPath}"`);
+    } catch (error) {
+        logger_logger.error(`Failed to remove member: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberRoleAction(groupPath, userId, role, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    if (!validateRole(role)) {
+        logger_logger.error(`Invalid role "${role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        process.exit(1);
+    }
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.updateGroupMemberRole(detail.id, userId, role);
+        logger_logger.success(`Updated role of "${userId}" in "${groupPath}" to ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(role)}`);
+    } catch (error) {
+        logger_logger.error(`Failed to update role: ${error.message}`);
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Command Definitions
+// ============================================================================
+const memberCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('member').description('Manage group members');
+memberCommand.command('list <path>').description('List members of a group').option('-r, --registry <url>', 'Registry URL').option('-j, --json', 'Output as JSON').action(memberListAction);
+memberCommand.command('add <path> <users...>').description('Add members to a group').option('-r, --registry <url>', 'Registry URL').option('--role <role>', 'Role to assign (owner|maintainer|developer)', 'developer').action(memberAddAction);
+memberCommand.command('remove <path> <user>').description('Remove a member from a group').option('-r, --registry <url>', 'Registry URL').action(memberRemoveAction);
+memberCommand.command('role <path> <user> <role>').description("Change a member's role").option('-r, --registry <url>', 'Registry URL').action(memberRoleAction);
+const groupCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('group').description('Manage skill groups');
+groupCommand.command('list').description('List visible groups').option('-r, --registry <url>', 'Registry URL').option('--tree', 'Render groups as a tree (requests flat group list)').option('-j, --json', 'Output as JSON').action(listAction);
+groupCommand.command('create <name>').description('Create a new group').option('-r, --registry <url>', 'Registry URL').option('-d, --description <text>', 'Group description').option('--visibility <level>', 'Visibility: public or private', 'public').option('--parent <path>', 'Parent group path (for sub groups)').option('-j, --json', 'Output as JSON').action(createAction);
+groupCommand.command('info <path>').description('Show group details').option('-r, --registry <url>', 'Registry URL').option('-j, --json', 'Output as JSON').action(infoAction);
+groupCommand.command('delete <path>').description('Delete a group').option('-r, --registry <url>', 'Registry URL').option('-n, --dry-run', 'Preview deletion without executing').option('-y, --yes', 'Skip confirmation').action(deleteAction);
+groupCommand.addCommand(memberCommand);
+/**
+ * info command - Show skill details
+ */ const infoCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('info').description('Show skill details').argument('<skill>', 'Skill name').option('-j, --json', 'Output as JSON').action((skillName, options)=>{
+    const skillManager = new SkillManager();
+    const info = skillManager.getInfo(skillName);
+    if (options.json) {
+        console.log(JSON.stringify(info, null, 2));
+        return;
+    }
+    if (!info.installed && !info.config) {
+        logger_logger.error(`Skill ${skillName} not found`);
+        process.exit(1);
+    }
+    logger_logger.log(`Skill: ${skillName}`);
+    logger_logger.newline();
+    if (info.config) {
+        logger_logger.log("Configuration (skills.json):");
+        logger_logger.log(`  Reference: ${info.config}`);
+    }
+    if (info.locked) {
+        logger_logger.log("Locked Version (skills.lock):");
+        logger_logger.log(`  Version: ${info.locked.version}`);
+        logger_logger.log(`  Source: ${info.locked.source}`);
+        logger_logger.log(`  Commit: ${info.locked.commit}`);
+        logger_logger.log(`  Installed: ${info.locked.installedAt}`);
+    }
+    if (info.installed) {
+        logger_logger.log("Installed:");
+        logger_logger.log(`  Path: ${info.installed.path}`);
+        logger_logger.log(`  Version: ${info.installed.version}`);
+        logger_logger.log(`  Linked: ${info.installed.isLinked ? 'Yes' : 'No'}`);
+        if (info.installed.metadata) {
+            const meta = info.installed.metadata;
+            logger_logger.log("Metadata (SKILL.md):");
+            if (meta.description) logger_logger.log(`  Description: ${meta.description}`);
+            if (meta.author) logger_logger.log(`  Author: ${meta.author}`);
+            if (meta.license) logger_logger.log(`  License: ${meta.license}`);
+            if (meta.keywords?.length) logger_logger.log(`  Keywords: ${meta.keywords.join(', ')}`);
+        }
+    } else logger_logger.warn(`Skill ${skillName} is not installed`);
+});
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_INSTALL_DIR = '.skills';
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Display configuration summary after initialization
+ */ function displayConfigSummary(installDir) {
+    logger_logger.success('Created skills.json');
+    logger_logger.newline();
+    logger_logger.log('Configuration:');
+    logger_logger.log(`  Install directory: ${installDir}`);
+    logger_logger.newline();
+    logger_logger.log('Next steps:');
+    logger_logger.log('  reskill install <skill>  Install a skill');
+    logger_logger.log('  reskill list             List installed skills');
+}
+// ============================================================================
+// Command Definition
+// ============================================================================
+/**
+ * init command - Initialize skills.json configuration
+ *
+ * Creates a new skills.json file in the current directory with default settings.
+ * Will not overwrite an existing skills.json file.
+ *
+ * @example
+ * ```bash
+ * # Initialize with defaults
+ * reskill init
+ *
+ * # Initialize with custom install directory
+ * reskill init -d my-skills
+ *
+ * # Skip prompts (for CI/scripts)
+ * reskill init -y
+ * ```
+ */ const initCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('init').description('Initialize a new skills.json configuration').option('-d, --install-dir <dir>', 'Skills installation directory', DEFAULT_INSTALL_DIR).option('-y, --yes', 'Skip prompts and use defaults').action((options)=>{
+    const configLoader = new ConfigLoader();
+    // Check if configuration already exists
+    if (configLoader.exists()) {
+        logger_logger.warn('skills.json already exists');
+        return;
+    }
+    // Create new configuration
+    configLoader.create({
+        defaults: {
+            installDir: options.installDir
+        }
+    });
+    // Display summary (use options.installDir directly since we just set it)
+    displayConfigSummary(options.installDir);
+});
+// ============================================================================
+// Utility Functions
+// ============================================================================
+/**
+ * Format agent names list for display
+ * Truncates long lists with "+N more" suffix
+ */ function formatAgentNames(agentTypes, maxShow = 5) {
+    const names = agentTypes.map((a)=>agents[a].displayName);
+    if (names.length <= maxShow) return names.join(', ');
+    const shown = names.slice(0, maxShow);
+    const remaining = names.length - maxShow;
+    return `${shown.join(', ')} +${remaining} more`;
 }
 /**
  * Format agent names with chalk coloring
@@ -7483,955 +8065,956 @@ const logoutCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('logout'
     }
 });
 /**
- * Publisher - Handle Git information and publish payload building
+ * ContentScanner - Detect malicious patterns in SKILL.md content
  *
- * Extracts Git metadata and builds the payload for publishing to registry.
- */ class PublishError extends Error {
-    constructor(message){
-        super(message);
-        this.name = 'PublishError';
-    }
-}
-// ============================================================================
-// Publisher Class
+ * Features:
+ * - Context-aware: skips safe zones (frontmatter, code blocks, quotes, blockquotes)
+ * - 6 built-in detection rules across 3 risk levels
+ * - Configurable: override levels, disable rules, add custom rules
+ * - Pure string operations in scan() — no fs dependency, suitable for server use
+ * - scanFile() convenience method for CLI use
+ */ // ============================================================================
+// Safe Zone Masking
 // ============================================================================
-class Publisher {
-    /**
-   * Get Git information from a skill directory
-   */ async getGitInfo(skillPath, specifiedTag) {
-        const info = {
-            isRepo: false,
-            remoteUrl: null,
-            currentBranch: null,
-            currentCommit: null,
-            commitDate: null,
-            tag: null,
-            tagCommit: null,
-            isDirty: false,
-            sourceRef: null
-        };
-        // Check if it's a git repository
-        try {
-            (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git rev-parse --git-dir', {
-                cwd: skillPath,
-                stdio: 'pipe'
-            });
-            info.isRepo = true;
-        } catch  {
-            return info;
-        }
-        // Get remote URL
-        try {
-            info.remoteUrl = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git remote get-url origin', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-            // Parse to sourceRef format
-            info.sourceRef = this.parseRemoteToSourceRef(info.remoteUrl);
-        } catch  {
-        // No remote configured
-        }
-        // Get current branch
-        try {
-            info.currentBranch = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git branch --show-current', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim() || null;
-        } catch  {
-        // Detached HEAD or other error
-        }
-        // Get current commit
-        try {
-            info.currentCommit = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git rev-parse HEAD', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-            // Get commit date
-            info.commitDate = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git show -s --format=%cI HEAD', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-        } catch  {
-        // No commits yet
-        }
-        // Get tag
-        if (specifiedTag) // Use specified tag
-        try {
-            info.tagCommit = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)(`git rev-parse "${specifiedTag}^{commit}"`, {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-            info.tag = specifiedTag;
-        } catch  {
-            throw new PublishError(`Tag "${specifiedTag}" not found`);
-        }
-        else // Try to get tag on current commit
-        try {
-            const tag = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git describe --exact-match --tags HEAD', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-            info.tag = tag;
-            info.tagCommit = info.currentCommit;
-        } catch  {
-        // No tag on current commit
+/**
+ * Mask safe zones in Markdown content with spaces, preserving line structure.
+ *
+ * Safe zones (content replaced with spaces):
+ * - YAML frontmatter (`---` ... `---` at file start)
+ * - Fenced code blocks (``` or ~~~)
+ * - Indented code blocks (4 spaces / tab after blank line)
+ * - Blockquotes (`> ` prefix)
+ * - Inline code (`` `...` ``)
+ * - Double-quoted text (`"..."`, min 3 chars between quotes)
+ *
+ * Line breaks are preserved so line numbers remain correct.
+ */ function maskSafeZones(content) {
+    const lines = content.split('\n');
+    const result = [];
+    let inFrontmatter = false;
+    let inFencedCode = false;
+    let fenceChar = '';
+    let fenceLength = 0;
+    let prevLineBlank = false;
+    let prevLineIndentedCode = false;
+    for(let i = 0; i < lines.length; i++){
+        const line = lines[i];
+        // --- YAML Frontmatter (only at file start) ---
+        if (0 === i && '---' === line.trim()) {
+            inFrontmatter = true;
+            result.push(maskLine(line));
+            continue;
         }
-        // Check if working tree is dirty
-        try {
-            const status = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git status --porcelain', {
-                cwd: skillPath,
-                encoding: 'utf-8'
-            }).trim();
-            info.isDirty = status.length > 0;
-        } catch  {
-        // Ignore errors
+        if (inFrontmatter) {
+            result.push(maskLine(line));
+            if ('---' === line.trim()) inFrontmatter = false;
+            continue;
         }
-        return info;
-    }
-    /**
-   * Parse remote URL to sourceRef format (e.g., github:user/repo)
-   */ parseRemoteToSourceRef(remoteUrl) {
-        // SSH format: git@github.com:user/repo.git
-        const sshMatch = remoteUrl.match(/^git@([^:]+):([^/]+)\/(.+?)(\.git)?$/);
-        if (sshMatch) {
-            const [, host, owner, repo] = sshMatch;
-            const registry = this.normalizeHost(host);
-            return `${registry}:${owner}/${repo.replace(/\.git$/, '')}`;
+        // --- Fenced code blocks (``` or ~~~) ---
+        const fenceMatch = line.match(/^(`{3,}|~{3,})/);
+        if (!inFencedCode && fenceMatch) {
+            inFencedCode = true;
+            fenceChar = fenceMatch[1][0];
+            fenceLength = fenceMatch[1].length;
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
         }
-        // HTTPS format: https://github.com/user/repo.git
-        const httpsMatch = remoteUrl.match(/^https?:\/\/([^/]+)\/([^/]+)\/(.+?)(\.git)?$/);
-        if (httpsMatch) {
-            const [, host, owner, repo] = httpsMatch;
-            const registry = this.normalizeHost(host);
-            return `${registry}:${owner}/${repo.replace(/\.git$/, '')}`;
+        if (inFencedCode) {
+            result.push(maskLine(line));
+            const closeMatch = line.match(/^(`{3,}|~{3,})\s*$/);
+            if (closeMatch && closeMatch[1][0] === fenceChar && closeMatch[1].length >= fenceLength) inFencedCode = false;
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
         }
-        return null;
-    }
-    /**
-   * Normalize host to registry name
-   */ normalizeHost(host) {
-        if ('github.com' === host) return 'github';
-        if ('gitlab.com' === host) return 'gitlab';
-        return host;
-    }
-    /**
-   * Build publish payload
-   */ buildPayload(skill, gitInfo, integrity) {
-        const { skillJson, skillMd, readme, files } = skill;
-        const payload = {
-            version: skillJson.version,
-            description: skillJson.description || '',
-            gitRef: gitInfo.tag || gitInfo.currentCommit || 'HEAD',
-            gitCommit: gitInfo.tagCommit || gitInfo.currentCommit || '',
-            gitCommitDate: gitInfo.commitDate || void 0,
-            repositoryUrl: gitInfo.remoteUrl || '',
-            sourceRef: gitInfo.sourceRef || '',
-            skillJson,
-            files,
-            entry: skillJson.entry || 'SKILL.md',
-            integrity
-        };
-        // Add optional fields
-        if (skillMd) payload.skillMd = {
-            name: skillMd.name,
-            description: skillMd.description,
-            license: skillMd.license,
-            compatibility: skillMd.compatibility,
-            allowedTools: skillMd.allowedTools
-        };
-        if (readme) payload.readmePreview = readme;
-        if (skillJson.keywords && skillJson.keywords.length > 0) payload.keywords = skillJson.keywords;
-        if (skillJson.compatibility) {
-            // Filter out undefined values from compatibility
-            const compat = {};
-            for (const [key, value] of Object.entries(skillJson.compatibility))if (void 0 !== value) compat[key] = value;
-            if (Object.keys(compat).length > 0) payload.compatibility = compat;
+        // --- Blockquote ---
+        if (/^>\s?/.test(line)) {
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
         }
-        return payload;
-    }
-    /**
-   * Format bytes for display
-   */ formatBytes(bytes) {
-        if (bytes < 1024) return `${bytes} B`;
-        if (bytes < 1048576) return `${(bytes / 1024).toFixed(1)} KB`;
-        return `${(bytes / 1048576).toFixed(1)} MB`;
-    }
-    /**
-   * Calculate total size of files
-   */ calculateTotalSize(skillPath, files) {
-        let total = 0;
-        for (const file of files){
-            const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
-            if (external_node_fs_.existsSync(filePath)) {
-                const stats = external_node_fs_.statSync(filePath);
-                total += stats.size;
-            }
+        // --- Indented code block (4 spaces or tab, after blank line) ---
+        if (/^(?:    |\t)/.test(line) && (prevLineBlank || prevLineIndentedCode)) {
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = true;
+            continue;
         }
-        return total;
+        // --- Normal line: mask inline code and double-quoted text ---
+        result.push(maskInline(line));
+        prevLineBlank = '' === line.trim();
+        prevLineIndentedCode = false;
     }
+    return result.join('\n');
+}
+/** Replace all characters in a line with spaces (preserving length) */ function maskLine(line) {
+    return ' '.repeat(line.length);
 }
 /**
- * SkillValidator - Validate skills for publishing
- *
- * Following agentskills.io specification: https://agentskills.io/specification
- *
- * Key points:
- * - SKILL.md is the SOLE source of metadata (name, description, version, etc.)
- * - skill.json is NOT used - all metadata comes from SKILL.md frontmatter
- * - Version defaults to "0.0.0" if not specified in SKILL.md
- */ // ============================================================================
-// Constants
-// ============================================================================
-const MAX_NAME_LENGTH = 64;
-const MAX_DESCRIPTION_LENGTH = 1024;
-const MAX_KEYWORDS = 10;
-const SINGLE_CHAR_NAME_PATTERN = /^[a-z0-9]$/;
-const DEFAULT_VERSION = '0.0.0';
-// Default files to include in publish
-const DEFAULT_FILES = [
-    'SKILL.md',
-    'README.md',
-    'LICENSE'
-];
+ * Mask inline code (`` `...` ``) and double-quoted text (`"..."`) within a line.
+ * Uses regex replacement for efficiency (avoids char-by-char concatenation on long lines).
+ * Single quotes are NOT masked to avoid false matches with apostrophes.
+ */ function maskInline(line) {
+    let result = line;
+    // Inline code: `...`
+    result = result.replace(/`[^`]+`/g, (m)=>' '.repeat(m.length));
+    // Double-quoted text: "..." (min 3 chars between quotes)
+    result = result.replace(/"[^"]{3,}"/g, (m)=>' '.repeat(m.length));
+    return result;
+}
 // ============================================================================
-// SkillValidator Class
+// Rule Helpers
 // ============================================================================
-class SkillValidator {
-    /**
-   * Validate skill name format
-   *
-   * Requirements:
-   * - Lowercase letters, numbers, and hyphens only
-   * - 1-64 characters
-   * - Cannot start or end with hyphen
-   * - Cannot have consecutive hyphens
-   */ validateName(name) {
-        const errors = [];
-        if (!name) {
-            errors.push({
-                field: 'name',
-                message: 'Skill name is required',
-                suggestion: 'Add "name" field to SKILL.md frontmatter'
-            });
-            return {
-                valid: false,
-                errors,
-                warnings: []
-            };
-        }
-        if (name.length > MAX_NAME_LENGTH) errors.push({
-            field: 'name',
-            message: `Skill name must be at most ${MAX_NAME_LENGTH} characters`,
-            suggestion: `Shorten the name to ${MAX_NAME_LENGTH} characters or less`
+/** Find lines matching any of the given patterns, return one match per line */ function findLineMatches(content, patterns) {
+    const lines = content.split('\n');
+    const matches = [];
+    for(let i = 0; i < lines.length; i++)for (const pattern of patterns)if (pattern.test(lines[i])) {
+        matches.push({
+            line: i + 1
         });
-        // Check for uppercase
-        if (/[A-Z]/.test(name)) errors.push({
-            field: 'name',
-            message: 'Skill name must be lowercase',
-            suggestion: `Change "${name}" to "${name.toLowerCase()}"`
-        });
-        // Check for invalid characters
-        if (/[^a-z0-9-]/.test(name)) errors.push({
-            field: 'name',
-            message: 'Skill name can only contain lowercase letters, numbers, and hyphens',
-            suggestion: 'Remove special characters from the name'
-        });
-        // Check pattern for multi-char names
-        if (1 === name.length) {
-            if (!SINGLE_CHAR_NAME_PATTERN.test(name)) errors.push({
-                field: 'name',
-                message: 'Single character name must be a lowercase letter or number'
-            });
-        } else if (name.length > 1) {
-            // Check start/end with hyphen
-            if (name.startsWith('-')) errors.push({
-                field: 'name',
-                message: 'Skill name cannot start with a hyphen'
+        break;
+    }
+    return matches;
+}
+// ============================================================================
+// Default Rules
+// ============================================================================
+const SNIPPET_MAX_LENGTH = 120;
+/** Built-in detection rules */ const DEFAULT_RULES = [
+    // Rule 1: Prompt Injection (high)
+    {
+        id: 'prompt-injection',
+        level: 'high',
+        message: 'Detected prompt injection attempt',
+        skipSafeZones: true,
+        check: (content)=>findLineMatches(content, [
+                // English patterns
+                /ignore\s+(all\s+)?previous\s+instructions/i,
+                /disregard\s+(all\s+)?(prior|previous|above)\s+(instructions|rules|context)/i,
+                /you\s+are\s+now\s+(?:(?:a|an)\s+)?(?:(?:\w+\s+){0,3}(?:agent|ai|assistant|bot|model|character|persona|entity|system)|DAN\b|jailbr\w*|unrestricted|unfiltered|free\s+from)/i,
+                /from\s+now\s+on[,\s]+you\s+are/i,
+                /new\s+system\s+prompt/i,
+                /override\s+(your|the)\s+(system|safety|security)\s+(prompt|rules|instructions)/i,
+                /forget\s+(?:all\s+)?(?:your\s+)?(?:previous\s+|prior\s+)?(?:instructions|rules|constraints)/i,
+                /(?:you\s+are|you're)\s+(?:now\s+)?entering\s+(?:a\s+)?new\s+(?:mode|context|session)/i,
+                // Chinese patterns (中文提示词注入)
+                /[忽无][略视]\s*(所有\s*)?(之前的?|先前的?|以前的?)?\s*(指令|指示|规则|约束|限制)/,
+                /你现在是/,
+                /从现在开始.{0,10}你是/,
+                /新的系统提示词/,
+                /[覆改]写?\s*(你的|系统)\s*(提示词|规则|指令|安全)/,
+                /忘记\s*(所有\s*)?(之前的?|先前的?)?\s*(指令|指示|规则|约束)/,
+                /进入.{0,5}新的?\s*(模式|上下文|会话)/,
+                /不要遵守.{0,10}(安全|限制|规则|约束)/,
+                /解除.{0,5}(限制|约束|安全)/,
+                /无限制模式/,
+                /安全模式已关闭/
+            ])
+    },
+    // Rule 2: Data Exfiltration (high)
+    {
+        id: 'data-exfiltration',
+        level: 'high',
+        message: 'Detected potential data exfiltration command',
+        skipSafeZones: true,
+        check: (content)=>{
+            const lines = content.split('\n');
+            const matches = [];
+            const commandPattern = /\b(curl|wget|fetch|http\.post|requests\.post|nc\b|ncat|netcat)\b/i;
+            const sensitivePattern = /(\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|AUTH)[A-Z_]*|\$ENV\b|\$\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)[^}]*\})/i;
+            for(let i = 0; i < lines.length; i++)if (commandPattern.test(lines[i]) && sensitivePattern.test(lines[i])) matches.push({
+                line: i + 1
             });
-            if (name.endsWith('-')) errors.push({
-                field: 'name',
-                message: 'Skill name cannot end with a hyphen'
+            return matches;
+        }
+    },
+    // Rule 3: Content Obfuscation (high) — scans ALL content including safe zones
+    {
+        id: 'obfuscation',
+        level: 'high',
+        message: 'Detected content obfuscation',
+        skipSafeZones: false,
+        check: (content)=>{
+            const matches = [];
+            const lines = content.split('\n');
+            // Zero-width characters (suspicious in any context)
+            const zeroWidthPattern = /[\u200B\u200C\u200D\uFEFF\u2060\u180E]/;
+            for(let i = 0; i < lines.length; i++)if (zeroWidthPattern.test(lines[i])) matches.push({
+                line: i + 1,
+                snippet: 'Zero-width Unicode characters detected'
             });
-            // Check consecutive hyphens
-            if (/--/.test(name)) errors.push({
-                field: 'name',
-                message: 'Skill name cannot contain consecutive hyphens'
+            // Long base64-like strings (>200 continuous chars)
+            const base64Pattern = /[A-Za-z0-9+/=]{200,}/;
+            for(let i = 0; i < lines.length; i++)if (base64Pattern.test(lines[i])) matches.push({
+                line: i + 1,
+                snippet: 'Suspicious base64-encoded block detected'
             });
+            // Large HTML comments (>200 chars of content)
+            const commentRegex = /<!--([\s\S]{200,}?)-->/g;
+            let match;
+            // biome-ignore lint/suspicious/noAssignInExpressions: standard regex exec loop
+            while(null !== (match = commentRegex.exec(content))){
+                const lineNum = content.slice(0, match.index).split('\n').length;
+                matches.push({
+                    line: lineNum,
+                    snippet: `Large HTML comment block (${match[1].length} chars)`
+                });
+            }
+            return matches;
         }
-        return {
-            valid: 0 === errors.length,
-            errors,
-            warnings: []
-        };
-    }
-    /**
-   * Validate version format (semver)
-   */ validateVersion(version) {
-        const errors = [];
-        if (!version) {
-            errors.push({
-                field: 'version',
-                message: 'Version is required',
-                suggestion: 'Add "version" field to SKILL.md frontmatter (e.g., "1.0.0")'
-            });
-            return {
-                valid: false,
-                errors,
-                warnings: []
-            };
+    },
+    // Rule 4: Sensitive File Access (medium)
+    {
+        id: 'sensitive-file-access',
+        level: 'medium',
+        message: 'References sensitive file path',
+        skipSafeZones: true,
+        check: (content)=>findLineMatches(content, [
+                /~\/\.ssh\b/,
+                /~\/\.aws\b/,
+                /~\/\.gnupg\b/,
+                /~\/\.config\/gcloud\b/,
+                /\bid_rsa\b/i,
+                /\bid_ed25519\b/i,
+                /\/etc\/passwd\b/,
+                /\/etc\/shadow\b/,
+                /\.env\b(?!\.\w)/
+            ])
+    },
+    // Rule 5: Stealth Instructions (medium) — phrase + action verb matching
+    {
+        id: 'stealth-instructions',
+        level: 'medium',
+        message: 'Detected instruction to hide actions from user',
+        skipSafeZones: true,
+        check: (content)=>{
+            const actionVerbs = 'execute|delete|remove|send|transmit|modify|overwrite|install|download|upload|run|write|create|destroy|drop';
+            const patterns = [
+                // English patterns
+                new RegExp(`silently\\s+(?:${actionVerbs})`, 'i'),
+                new RegExp(`without\\s+telling\\s+the\\s+user.{0,30}(?:${actionVerbs})`, 'i'),
+                new RegExp("(?:do\\s+not|don'?t)\\s+show\\s+.{0,40}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
+                new RegExp("hide\\s+(?:this|the|these|all)\\s+.{0,30}(?:from\\s+the\\s+user|from\\s+user)", 'i'),
+                new RegExp("(?:do\\s+not|don'?t)\\s+mention\\s+.{0,30}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
+                new RegExp("keep\\s+(?:this|it)\\s+(?:a\\s+)?secret\\s+from\\s+(?:the\\s+)?user", 'i'),
+                // Chinese patterns (中文隐蔽指令)
+                /悄悄地?\s*(?:执行|删除|移除|发送|传输|修改|覆盖|安装|下载|上传|运行|写入|创建|销毁|丢弃)/,
+                /不要告诉用户/,
+                /不要让用户知道/,
+                /对用户隐藏/,
+                /在用户不知情的情况下/,
+                /瞒着用户/
+            ];
+            // Safe patterns to exclude (common in legitimate DevOps/automation skills)
+            const safePatterns = [
+                /silently\s+(?:ignore|skip|fail|discard|suppress|continue|pass|drop|swallow)/i,
+                // Chinese safe patterns (中文合法自动化用语)
+                /悄悄地?\s*(?:忽略|跳过|丢弃|抑制|继续|静默)/
+            ];
+            const lines = content.split('\n');
+            const matches = [];
+            for(let i = 0; i < lines.length; i++){
+                const line = lines[i];
+                if (!safePatterns.some((p)=>p.test(line))) {
+                    for (const pattern of patterns)if (pattern.test(line)) {
+                        matches.push({
+                            line: i + 1
+                        });
+                        break;
+                    }
+                }
+            }
+            return matches;
         }
-        // Check for v prefix
-        if (version.startsWith('v')) {
-            errors.push({
-                field: 'version',
-                message: 'Version should not have "v" prefix',
-                suggestion: `Change "${version}" to "${version.slice(1)}"`
-            });
-            return {
-                valid: false,
-                errors,
-                warnings: []
-            };
+    },
+    // Rule 6: Oversized Content (low) — scans ALL content
+    {
+        id: 'oversized-content',
+        level: 'low',
+        message: 'Content exceeds recommended size limit',
+        skipSafeZones: false,
+        check: (content)=>{
+            const MAX_SIZE_BYTES = 51200;
+            const sizeBytes = Buffer.byteLength(content, 'utf-8');
+            if (sizeBytes > MAX_SIZE_BYTES) return [
+                {
+                    snippet: `Content size: ${(sizeBytes / 1024).toFixed(1)}KB (limit: 50KB)`
+                }
+            ];
+            return [];
         }
-        if (!__WEBPACK_EXTERNAL_MODULE_semver__.valid(version)) errors.push({
-            field: 'version',
-            message: `Invalid version format: "${version}". Must follow semver (x.y.z)`,
-            suggestion: 'Use format like "1.0.0" or "1.0.0-beta.1"'
-        });
-        return {
-            valid: 0 === errors.length,
-            errors,
-            warnings: []
-        };
     }
-    /**
-   * Validate description
-   *
-   * Following agentskills.io specification:
-   * - Max 1024 characters
-   * - Non-empty
-   */ validateDescription(description) {
-        const errors = [];
-        if (!description) {
-            errors.push({
-                field: 'description',
-                message: 'Description is required',
-                suggestion: 'Add "description" field to SKILL.md frontmatter'
-            });
-            return {
-                valid: false,
-                errors,
-                warnings: []
-            };
-        }
-        if (description.length > MAX_DESCRIPTION_LENGTH) errors.push({
-            field: 'description',
-            message: `Description must be at most ${MAX_DESCRIPTION_LENGTH} characters`
-        });
-        // Note: angle brackets are allowed per agentskills.io spec
+];
+// ============================================================================
+// ContentScanner
+// ============================================================================
+/** Build the effective rule set from defaults + options */ function buildRuleSet(options) {
+    let rules = DEFAULT_RULES.map((r)=>({
+            ...r
+        }));
+    if (options?.disabledRules?.length) {
+        const disabled = new Set(options.disabledRules);
+        rules = rules.filter((r)=>!disabled.has(r.id));
+    }
+    if (options?.overrides) for (const rule of rules){
+        const override = options.overrides[rule.id];
+        if (override) rule.level = override;
+    }
+    if (options?.customRules?.length) rules.push(...options.customRules);
+    return rules;
+}
+/**
+ * Content scanner for SKILL.md files.
+ *
+ * Detects prompt injection, data exfiltration, obfuscation, sensitive file
+ * access, stealth instructions, and oversized content.
+ *
+ * @example
+ * ```typescript
+ * // Default usage (CLI)
+ * const scanner = new ContentScanner();
+ * const result = scanner.scan(content);
+ *
+ * // Custom usage (private registry server)
+ * const scanner = new ContentScanner({
+ *   overrides: { 'prompt-injection': 'medium' },
+ *   disabledRules: ['stealth-instructions'],
+ * });
+ * ```
+ */ class ContentScanner {
+    rules;
+    constructor(options){
+        this.rules = buildRuleSet(options);
+    }
+    /**
+   * Scan content string for malicious patterns.
+   * Pure string operation — no file system access.
+   */ scan(content) {
+        const originalLines = content.split('\n');
+        const maskedContent = maskSafeZones(content);
+        const findings = [];
+        for (const rule of this.rules){
+            const targetContent = rule.skipSafeZones ? maskedContent : content;
+            const matches = rule.check(targetContent);
+            for (const match of matches){
+                // Use custom snippet if provided, otherwise generate from original content
+                const snippet = match.snippet ?? (null != match.line ? originalLines[match.line - 1]?.trim().slice(0, SNIPPET_MAX_LENGTH) : void 0);
+                findings.push({
+                    rule: rule.id,
+                    level: rule.level,
+                    message: rule.message,
+                    line: match.line,
+                    snippet
+                });
+            }
+        }
+        const hasHighRisk = findings.some((f)=>'high' === f.level);
         return {
-            valid: 0 === errors.length,
-            errors,
-            warnings: []
+            passed: !hasHighRisk,
+            findings
         };
     }
     /**
-   * Load skill information from directory
-   *
-   * Following agentskills.io specification:
-   * - SKILL.md is the SOLE source of metadata
-   * - skillJson is synthesized from SKILL.md for backward compatibility with publish API
-   */ loadSkill(skillPath) {
-        const result = {
-            path: skillPath,
-            skillJson: null,
-            skillMd: null,
-            readme: null,
-            files: []
+   * Scan a file for malicious patterns.
+   * Convenience wrapper that reads the file then calls scan().
+   */ scanFile(filePath) {
+        if (!external_node_fs_.existsSync(filePath)) throw new Error(`File not found: ${filePath}`);
+        const content = external_node_fs_.readFileSync(filePath, 'utf-8');
+        return this.scan(content);
+    }
+}
+/**
+ * Publisher - Handle Git information and publish payload building
+ *
+ * Extracts Git metadata and builds the payload for publishing to registry.
+ */ class PublishError extends Error {
+    constructor(message){
+        super(message);
+        this.name = 'PublishError';
+    }
+}
+// ============================================================================
+// Publisher Class
+// ============================================================================
+class Publisher {
+    /**
+   * Get Git information from a skill directory
+   */ async getGitInfo(skillPath, specifiedTag) {
+        const info = {
+            isRepo: false,
+            remoteUrl: null,
+            currentBranch: null,
+            currentCommit: null,
+            commitDate: null,
+            tag: null,
+            tagCommit: null,
+            isDirty: false,
+            sourceRef: null
         };
-        // Load SKILL.md (sole source of metadata)
-        const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'SKILL.md');
-        if (external_node_fs_.existsSync(skillMdPath)) try {
-            result.skillMd = parseSkillMdFile(skillMdPath);
-            // Always synthesize skillJson from SKILL.md for backward compatibility
-            if (result.skillMd) result.skillJson = this.synthesizeSkillJson(result.skillMd);
+        // Check if it's a git repository
+        try {
+            (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git rev-parse --git-dir', {
+                cwd: skillPath,
+                stdio: 'pipe'
+            });
+            info.isRepo = true;
         } catch  {
-        // Will be caught in validation
+            return info;
         }
-        // Load README.md
-        const readmePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'README.md');
-        if (external_node_fs_.existsSync(readmePath)) {
-            const content = external_node_fs_.readFileSync(readmePath, 'utf-8');
-            // Only keep first 500 chars as preview
-            result.readme = content.slice(0, 500);
+        // Get remote URL
+        try {
+            info.remoteUrl = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git remote get-url origin', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+            // Parse to sourceRef format
+            info.sourceRef = this.parseRemoteToSourceRef(info.remoteUrl);
+        } catch  {
+        // No remote configured
         }
-        // Scan files (use files array from SKILL.md metadata if available)
-        const filesPattern = result.skillMd?.metadata?.files;
-        result.files = this.scanFiles(skillPath, filesPattern);
-        return result;
+        // Get current branch
+        try {
+            info.currentBranch = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git branch --show-current', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim() || null;
+        } catch  {
+        // Detached HEAD or other error
+        }
+        // Get current commit
+        try {
+            info.currentCommit = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git rev-parse HEAD', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+            // Get commit date
+            info.commitDate = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git show -s --format=%cI HEAD', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+        } catch  {
+        // No commits yet
+        }
+        // Get tag
+        if (specifiedTag) // Use specified tag
+        try {
+            info.tagCommit = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)(`git rev-parse "${specifiedTag}^{commit}"`, {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+            info.tag = specifiedTag;
+        } catch  {
+            throw new PublishError(`Tag "${specifiedTag}" not found`);
+        }
+        else // Try to get tag on current commit
+        try {
+            const tag = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git describe --exact-match --tags HEAD', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+            info.tag = tag;
+            info.tagCommit = info.currentCommit;
+        } catch  {
+        // No tag on current commit
+        }
+        // Check if working tree is dirty
+        try {
+            const status = (0, __WEBPACK_EXTERNAL_MODULE_node_child_process__.execSync)('git status --porcelain', {
+                cwd: skillPath,
+                encoding: 'utf-8'
+            }).trim();
+            info.isDirty = status.length > 0;
+        } catch  {
+        // Ignore errors
+        }
+        return info;
     }
     /**
-   * Synthesize a SkillJson object from SKILL.md frontmatter
-   *
-   * This creates a SkillJson representation from SKILL.md for backward compatibility
-   * with the publish API. All metadata comes from SKILL.md.
-   */ synthesizeSkillJson(skillMd) {
-        // Extract version: first from top-level frontmatter, then from metadata, then default
-        const version = skillMd.version || skillMd.metadata?.version || DEFAULT_VERSION;
-        // Only include keywords if it's a valid array
-        const keywords = Array.isArray(skillMd.metadata?.keywords) ? skillMd.metadata.keywords : void 0;
-        return {
-            name: skillMd.name,
-            version,
-            description: skillMd.description,
-            license: skillMd.license,
-            keywords,
-            entry: 'SKILL.md'
-        };
+   * Parse remote URL to sourceRef format (e.g., github:user/repo)
+   */ parseRemoteToSourceRef(remoteUrl) {
+        // SSH format: git@github.com:user/repo.git
+        const sshMatch = remoteUrl.match(/^git@([^:]+):([^/]+)\/(.+?)(\.git)?$/);
+        if (sshMatch) {
+            const [, host, owner, repo] = sshMatch;
+            const registry = this.normalizeHost(host);
+            return `${registry}:${owner}/${repo.replace(/\.git$/, '')}`;
+        }
+        // HTTPS format: https://github.com/user/repo.git
+        const httpsMatch = remoteUrl.match(/^https?:\/\/([^/]+)\/([^/]+)\/(.+?)(\.git)?$/);
+        if (httpsMatch) {
+            const [, host, owner, repo] = httpsMatch;
+            const registry = this.normalizeHost(host);
+            return `${registry}:${owner}/${repo.replace(/\.git$/, '')}`;
+        }
+        return null;
     }
     /**
-   * Scan files to include in publish
-   *
-   * If includePatterns is specified, only include those files/directories.
-   * Otherwise, scan all files in the directory (excluding ignored patterns).
-   */ scanFiles(skillPath, includePatterns) {
-        const files = [];
-        const seen = new Set();
-        // If includePatterns specified, use selective scanning
-        if (includePatterns && includePatterns.length > 0) {
-            // Add default files first
-            for (const file of DEFAULT_FILES){
-                const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
-                if (external_node_fs_.existsSync(filePath) && !seen.has(file)) {
-                    files.push(file);
-                    seen.add(file);
-                }
-            }
-            // Add files from SKILL.md metadata.files array
-            for (const pattern of includePatterns){
-                const targetPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, pattern);
-                if (external_node_fs_.existsSync(targetPath)) {
-                    const stat = external_node_fs_.statSync(targetPath);
-                    if (stat.isDirectory()) // Recursively add all files in directory
-                    this.addFilesFromDir(skillPath, pattern, files, seen);
-                    else if (!seen.has(pattern)) {
-                        files.push(pattern);
-                        seen.add(pattern);
-                    }
-                }
-            }
-        } else // No includePatterns: scan entire directory (default behavior)
-        this.addFilesFromDir(skillPath, '', files, seen);
-        return files;
+   * Normalize host to registry name
+   */ normalizeHost(host) {
+        if ('github.com' === host) return 'github';
+        if ('gitlab.com' === host) return 'gitlab';
+        return host;
     }
     /**
-   * Patterns to ignore when scanning directories
-   */ static IGNORE_PATTERNS = [
-        '.git',
-        '.svn',
-        '.hg',
-        'node_modules',
-        '.DS_Store',
-        'Thumbs.db',
-        '.idea',
-        '.vscode',
-        '*.log',
-        '*.tmp',
-        '*.swp',
-        '*.bak'
-    ];
+   * Build publish payload
+   */ buildPayload(skill, gitInfo, integrity) {
+        const { skillJson, skillMd, readme, files } = skill;
+        const payload = {
+            version: skillJson.version,
+            description: skillJson.description || '',
+            gitRef: gitInfo.tag || gitInfo.currentCommit || 'HEAD',
+            gitCommit: gitInfo.tagCommit || gitInfo.currentCommit || '',
+            gitCommitDate: gitInfo.commitDate || void 0,
+            repositoryUrl: gitInfo.remoteUrl || '',
+            sourceRef: gitInfo.sourceRef || '',
+            skillJson,
+            files,
+            entry: skillJson.entry || 'SKILL.md',
+            integrity
+        };
+        // Add optional fields
+        if (skillMd) payload.skillMd = {
+            name: skillMd.name,
+            description: skillMd.description,
+            license: skillMd.license,
+            compatibility: skillMd.compatibility,
+            allowedTools: skillMd.allowedTools
+        };
+        if (readme) payload.readmePreview = readme;
+        if (skillJson.keywords && skillJson.keywords.length > 0) payload.keywords = skillJson.keywords;
+        if (skillJson.compatibility) {
+            // Filter out undefined values from compatibility
+            const compat = {};
+            for (const [key, value] of Object.entries(skillJson.compatibility))if (void 0 !== value) compat[key] = value;
+            if (Object.keys(compat).length > 0) payload.compatibility = compat;
+        }
+        return payload;
+    }
     /**
-   * Check if a file/directory should be ignored
-   */ shouldIgnore(name) {
-        for (const pattern of SkillValidator.IGNORE_PATTERNS)if (pattern.startsWith('*')) {
-            // Wildcard pattern (e.g., *.log)
-            const ext = pattern.slice(1);
-            if (name.endsWith(ext)) return true;
-        } else if (name === pattern) return true;
-        return false;
+   * Format bytes for display
+   */ formatBytes(bytes) {
+        if (bytes < 1024) return `${bytes} B`;
+        if (bytes < 1048576) return `${(bytes / 1024).toFixed(1)} KB`;
+        return `${(bytes / 1048576).toFixed(1)} MB`;
     }
     /**
-   * Recursively add files from directory
-   */ addFilesFromDir(basePath, dirPath, files, seen) {
-        const fullPath = dirPath ? __WEBPACK_EXTERNAL_MODULE_node_path__.join(basePath, dirPath) : basePath;
-        const entries = external_node_fs_.readdirSync(fullPath, {
-            withFileTypes: true
-        });
-        for (const entry of entries){
-            // Skip ignored files/directories
-            if (this.shouldIgnore(entry.name)) continue;
-            const relativePath = dirPath ? __WEBPACK_EXTERNAL_MODULE_node_path__.join(dirPath, entry.name) : entry.name;
-            if (entry.isDirectory()) this.addFilesFromDir(basePath, relativePath, files, seen);
-            else if (!seen.has(relativePath)) {
-                files.push(relativePath);
-                seen.add(relativePath);
+   * Calculate total size of files
+   */ calculateTotalSize(skillPath, files) {
+        let total = 0;
+        for (const file of files){
+            const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
+            if (external_node_fs_.existsSync(filePath)) {
+                const stats = external_node_fs_.statSync(filePath);
+                total += stats.size;
             }
         }
+        return total;
     }
+}
+/**
+ * SkillValidator - Validate skills for publishing
+ *
+ * Following agentskills.io specification: https://agentskills.io/specification
+ *
+ * Key points:
+ * - SKILL.md is the SOLE source of metadata (name, description, version, etc.)
+ * - skill.json is NOT used - all metadata comes from SKILL.md frontmatter
+ * - Version defaults to "0.0.0" if not specified in SKILL.md
+ */ // ============================================================================
+// Constants
+// ============================================================================
+const MAX_NAME_LENGTH = 64;
+const MAX_DESCRIPTION_LENGTH = 1024;
+const MAX_KEYWORDS = 10;
+const SINGLE_CHAR_NAME_PATTERN = /^[a-z0-9]$/;
+const DEFAULT_VERSION = '0.0.0';
+// Default files to include in publish
+const DEFAULT_FILES = [
+    'SKILL.md',
+    'README.md',
+    'LICENSE'
+];
+// ============================================================================
+// SkillValidator Class
+// ============================================================================
+class SkillValidator {
     /**
-   * Validate a skill directory for publishing
+   * Validate skill name format
    *
-   * Following agentskills.io specification:
-   * - SKILL.md is the SOLE source of metadata
-   * - name and description are REQUIRED in frontmatter
-   */ validate(skillPath) {
+   * Requirements:
+   * - Lowercase letters, numbers, and hyphens only
+   * - 1-64 characters
+   * - Cannot start or end with hyphen
+   * - Cannot have consecutive hyphens
+   */ validateName(name) {
         const errors = [];
-        const warnings = [];
-        // Check SKILL.md exists (REQUIRED per spec)
-        const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'SKILL.md');
-        if (!external_node_fs_.existsSync(skillMdPath)) {
+        if (!name) {
             errors.push({
-                field: 'SKILL.md',
-                message: 'SKILL.md not found. This file is required for publishing.',
-                suggestion: 'Create a SKILL.md file with name and description in YAML frontmatter'
+                field: 'name',
+                message: 'Skill name is required',
+                suggestion: 'Add "name" field to SKILL.md frontmatter'
             });
             return {
                 valid: false,
                 errors,
-                warnings
+                warnings: []
             };
         }
-        // Parse SKILL.md
-        let skillMd;
-        try {
-            skillMd = parseSkillMdFile(skillMdPath);
-            if (!skillMd) {
-                errors.push({
-                    field: 'SKILL.md',
-                    message: 'SKILL.md must have valid YAML frontmatter with name and description',
-                    suggestion: 'Add frontmatter: ---\\nname: your-skill\\ndescription: Your description\\n---'
-                });
-                return {
-                    valid: false,
-                    errors,
-                    warnings
-                };
-            }
-        } catch (error) {
+        if (name.length > MAX_NAME_LENGTH) errors.push({
+            field: 'name',
+            message: `Skill name must be at most ${MAX_NAME_LENGTH} characters`,
+            suggestion: `Shorten the name to ${MAX_NAME_LENGTH} characters or less`
+        });
+        // Check for uppercase
+        if (/[A-Z]/.test(name)) errors.push({
+            field: 'name',
+            message: 'Skill name must be lowercase',
+            suggestion: `Change "${name}" to "${name.toLowerCase()}"`
+        });
+        // Check for invalid characters
+        if (/[^a-z0-9-]/.test(name)) errors.push({
+            field: 'name',
+            message: 'Skill name can only contain lowercase letters, numbers, and hyphens',
+            suggestion: 'Remove special characters from the name'
+        });
+        // Check pattern for multi-char names
+        if (1 === name.length) {
+            if (!SINGLE_CHAR_NAME_PATTERN.test(name)) errors.push({
+                field: 'name',
+                message: 'Single character name must be a lowercase letter or number'
+            });
+        } else if (name.length > 1) {
+            // Check start/end with hyphen
+            if (name.startsWith('-')) errors.push({
+                field: 'name',
+                message: 'Skill name cannot start with a hyphen'
+            });
+            if (name.endsWith('-')) errors.push({
+                field: 'name',
+                message: 'Skill name cannot end with a hyphen'
+            });
+            // Check consecutive hyphens
+            if (/--/.test(name)) errors.push({
+                field: 'name',
+                message: 'Skill name cannot contain consecutive hyphens'
+            });
+        }
+        return {
+            valid: 0 === errors.length,
+            errors,
+            warnings: []
+        };
+    }
+    /**
+   * Validate version format (semver)
+   */ validateVersion(version) {
+        const errors = [];
+        if (!version) {
             errors.push({
-                field: 'SKILL.md',
-                message: `Failed to parse SKILL.md: ${error.message}`,
-                suggestion: 'Check the YAML frontmatter syntax is valid'
+                field: 'version',
+                message: 'Version is required',
+                suggestion: 'Add "version" field to SKILL.md frontmatter (e.g., "1.0.0")'
             });
             return {
                 valid: false,
                 errors,
-                warnings
+                warnings: []
             };
         }
-        // Validate name from SKILL.md
-        const nameResult = this.validateName(skillMd.name);
-        errors.push(...nameResult.errors);
-        // Validate description from SKILL.md
-        const descResult = this.validateDescription(skillMd.description);
-        errors.push(...descResult.errors);
-        // Check version in SKILL.md
-        const skillMdVersion = skillMd.version || skillMd.metadata?.version;
-        if (skillMdVersion) {
-            // Validate the version from SKILL.md
-            const versionResult = this.validateVersion(skillMdVersion);
-            errors.push(...versionResult.errors);
-        } else warnings.push({
-            field: 'version',
-            message: `No version specified, defaulting to "${DEFAULT_VERSION}"`,
-            suggestion: 'Add version in SKILL.md frontmatter'
-        });
-        // Check keywords count (only if metadata.keywords is a valid array)
-        const keywords = skillMd.metadata?.keywords;
-        if (Array.isArray(keywords) && keywords.length > MAX_KEYWORDS) warnings.push({
-            field: 'keywords',
-            message: `Too many keywords (${keywords.length}). Recommended max: ${MAX_KEYWORDS}`
-        });
-        // Check license
-        if (!skillMd.license) warnings.push({
-            field: 'license',
-            message: 'No license specified',
-            suggestion: 'Add license in SKILL.md frontmatter'
+        // Check for v prefix
+        if (version.startsWith('v')) {
+            errors.push({
+                field: 'version',
+                message: 'Version should not have "v" prefix',
+                suggestion: `Change "${version}" to "${version.slice(1)}"`
+            });
+            return {
+                valid: false,
+                errors,
+                warnings: []
+            };
+        }
+        if (!__WEBPACK_EXTERNAL_MODULE_semver__.valid(version)) errors.push({
+            field: 'version',
+            message: `Invalid version format: "${version}". Must follow semver (x.y.z)`,
+            suggestion: 'Use format like "1.0.0" or "1.0.0-beta.1"'
         });
         return {
             valid: 0 === errors.length,
             errors,
-            warnings
+            warnings: []
         };
     }
     /**
-   * Generate integrity hash for files
-   */ generateIntegrity(skillPath, files) {
-        const hash = __WEBPACK_EXTERNAL_MODULE_node_crypto__.createHash('sha256');
-        // Sort files for consistent ordering
-        const sortedFiles = [
-            ...files
-        ].sort();
-        for (const file of sortedFiles){
-            const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
-            if (external_node_fs_.existsSync(filePath)) {
-                hash.update(file);
-                const content = external_node_fs_.readFileSync(filePath);
-                hash.update(content);
-            }
+   * Validate description
+   *
+   * Following agentskills.io specification:
+   * - Max 1024 characters
+   * - Non-empty
+   */ validateDescription(description) {
+        const errors = [];
+        if (!description) {
+            errors.push({
+                field: 'description',
+                message: 'Description is required',
+                suggestion: 'Add "description" field to SKILL.md frontmatter'
+            });
+            return {
+                valid: false,
+                errors,
+                warnings: []
+            };
         }
-        return `sha256-${hash.digest('hex')}`;
+        if (description.length > MAX_DESCRIPTION_LENGTH) errors.push({
+            field: 'description',
+            message: `Description must be at most ${MAX_DESCRIPTION_LENGTH} characters`
+        });
+        // Note: angle brackets are allowed per agentskills.io spec
+        return {
+            valid: 0 === errors.length,
+            errors,
+            warnings: []
+        };
     }
-}
-/**
- * ContentScanner - Detect malicious patterns in SKILL.md content
- *
- * Features:
- * - Context-aware: skips safe zones (frontmatter, code blocks, quotes, blockquotes)
- * - 6 built-in detection rules across 3 risk levels
- * - Configurable: override levels, disable rules, add custom rules
- * - Pure string operations in scan() — no fs dependency, suitable for server use
- * - scanFile() convenience method for CLI use
- */ // ============================================================================
-// Safe Zone Masking
-// ============================================================================
-/**
- * Mask safe zones in Markdown content with spaces, preserving line structure.
- *
- * Safe zones (content replaced with spaces):
- * - YAML frontmatter (`---` ... `---` at file start)
- * - Fenced code blocks (``` or ~~~)
- * - Indented code blocks (4 spaces / tab after blank line)
- * - Blockquotes (`> ` prefix)
- * - Inline code (`` `...` ``)
- * - Double-quoted text (`"..."`, min 3 chars between quotes)
- *
- * Line breaks are preserved so line numbers remain correct.
- */ function maskSafeZones(content) {
-    const lines = content.split('\n');
-    const result = [];
-    let inFrontmatter = false;
-    let inFencedCode = false;
-    let fenceChar = '';
-    let fenceLength = 0;
-    let prevLineBlank = false;
-    let prevLineIndentedCode = false;
-    for(let i = 0; i < lines.length; i++){
-        const line = lines[i];
-        // --- YAML Frontmatter (only at file start) ---
-        if (0 === i && '---' === line.trim()) {
-            inFrontmatter = true;
-            result.push(maskLine(line));
-            continue;
-        }
-        if (inFrontmatter) {
-            result.push(maskLine(line));
-            if ('---' === line.trim()) inFrontmatter = false;
-            continue;
-        }
-        // --- Fenced code blocks (``` or ~~~) ---
-        const fenceMatch = line.match(/^(`{3,}|~{3,})/);
-        if (!inFencedCode && fenceMatch) {
-            inFencedCode = true;
-            fenceChar = fenceMatch[1][0];
-            fenceLength = fenceMatch[1].length;
-            result.push(maskLine(line));
-            prevLineBlank = false;
-            prevLineIndentedCode = false;
-            continue;
-        }
-        if (inFencedCode) {
-            result.push(maskLine(line));
-            const closeMatch = line.match(/^(`{3,}|~{3,})\s*$/);
-            if (closeMatch && closeMatch[1][0] === fenceChar && closeMatch[1].length >= fenceLength) inFencedCode = false;
-            prevLineBlank = false;
-            prevLineIndentedCode = false;
-            continue;
-        }
-        // --- Blockquote ---
-        if (/^>\s?/.test(line)) {
-            result.push(maskLine(line));
-            prevLineBlank = false;
-            prevLineIndentedCode = false;
-            continue;
+    /**
+   * Load skill information from directory
+   *
+   * Following agentskills.io specification:
+   * - SKILL.md is the SOLE source of metadata
+   * - skillJson is synthesized from SKILL.md for backward compatibility with publish API
+   */ loadSkill(skillPath) {
+        const result = {
+            path: skillPath,
+            skillJson: null,
+            skillMd: null,
+            readme: null,
+            files: []
+        };
+        // Load SKILL.md (sole source of metadata)
+        const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'SKILL.md');
+        if (external_node_fs_.existsSync(skillMdPath)) try {
+            result.skillMd = parseSkillMdFile(skillMdPath);
+            // Always synthesize skillJson from SKILL.md for backward compatibility
+            if (result.skillMd) result.skillJson = this.synthesizeSkillJson(result.skillMd);
+        } catch  {
+        // Will be caught in validation
         }
-        // --- Indented code block (4 spaces or tab, after blank line) ---
-        if (/^(?:    |\t)/.test(line) && (prevLineBlank || prevLineIndentedCode)) {
-            result.push(maskLine(line));
-            prevLineBlank = false;
-            prevLineIndentedCode = true;
-            continue;
+        // Load README.md
+        const readmePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'README.md');
+        if (external_node_fs_.existsSync(readmePath)) {
+            const content = external_node_fs_.readFileSync(readmePath, 'utf-8');
+            // Only keep first 500 chars as preview
+            result.readme = content.slice(0, 500);
         }
-        // --- Normal line: mask inline code and double-quoted text ---
-        result.push(maskInline(line));
-        prevLineBlank = '' === line.trim();
-        prevLineIndentedCode = false;
+        // Scan files (use files array from SKILL.md metadata if available)
+        const filesPattern = result.skillMd?.metadata?.files;
+        result.files = this.scanFiles(skillPath, filesPattern);
+        return result;
     }
-    return result.join('\n');
-}
-/** Replace all characters in a line with spaces (preserving length) */ function maskLine(line) {
-    return ' '.repeat(line.length);
-}
-/**
- * Mask inline code (`` `...` ``) and double-quoted text (`"..."`) within a line.
- * Uses regex replacement for efficiency (avoids char-by-char concatenation on long lines).
- * Single quotes are NOT masked to avoid false matches with apostrophes.
- */ function maskInline(line) {
-    let result = line;
-    // Inline code: `...`
-    result = result.replace(/`[^`]+`/g, (m)=>' '.repeat(m.length));
-    // Double-quoted text: "..." (min 3 chars between quotes)
-    result = result.replace(/"[^"]{3,}"/g, (m)=>' '.repeat(m.length));
-    return result;
-}
-// ============================================================================
-// Rule Helpers
-// ============================================================================
-/** Find lines matching any of the given patterns, return one match per line */ function findLineMatches(content, patterns) {
-    const lines = content.split('\n');
-    const matches = [];
-    for(let i = 0; i < lines.length; i++)for (const pattern of patterns)if (pattern.test(lines[i])) {
-        matches.push({
-            line: i + 1
-        });
-        break;
+    /**
+   * Synthesize a SkillJson object from SKILL.md frontmatter
+   *
+   * This creates a SkillJson representation from SKILL.md for backward compatibility
+   * with the publish API. All metadata comes from SKILL.md.
+   */ synthesizeSkillJson(skillMd) {
+        // Extract version: first from top-level frontmatter, then from metadata, then default
+        const version = skillMd.version || skillMd.metadata?.version || DEFAULT_VERSION;
+        // Only include keywords if it's a valid array
+        const keywords = Array.isArray(skillMd.metadata?.keywords) ? skillMd.metadata.keywords : void 0;
+        return {
+            name: skillMd.name,
+            version,
+            description: skillMd.description,
+            license: skillMd.license,
+            keywords,
+            entry: 'SKILL.md'
+        };
     }
-    return matches;
-}
-// ============================================================================
-// Default Rules
-// ============================================================================
-const SNIPPET_MAX_LENGTH = 120;
-/** Built-in detection rules */ const DEFAULT_RULES = [
-    // Rule 1: Prompt Injection (high)
-    {
-        id: 'prompt-injection',
-        level: 'high',
-        message: 'Detected prompt injection attempt',
-        skipSafeZones: true,
-        check: (content)=>findLineMatches(content, [
-                // English patterns
-                /ignore\s+(all\s+)?previous\s+instructions/i,
-                /disregard\s+(all\s+)?(prior|previous|above)\s+(instructions|rules|context)/i,
-                /you\s+are\s+now\s+(?:(?:a|an)\s+)?(?:(?:\w+\s+){0,3}(?:agent|ai|assistant|bot|model|character|persona|entity|system)|DAN\b|jailbr\w*|unrestricted|unfiltered|free\s+from)/i,
-                /from\s+now\s+on[,\s]+you\s+are/i,
-                /new\s+system\s+prompt/i,
-                /override\s+(your|the)\s+(system|safety|security)\s+(prompt|rules|instructions)/i,
-                /forget\s+(?:all\s+)?(?:your\s+)?(?:previous\s+|prior\s+)?(?:instructions|rules|constraints)/i,
-                /(?:you\s+are|you're)\s+(?:now\s+)?entering\s+(?:a\s+)?new\s+(?:mode|context|session)/i,
-                // Chinese patterns (中文提示词注入)
-                /[忽无][略视]\s*(所有\s*)?(之前的?|先前的?|以前的?)?\s*(指令|指示|规则|约束|限制)/,
-                /你现在是/,
-                /从现在开始.{0,10}你是/,
-                /新的系统提示词/,
-                /[覆改]写?\s*(你的|系统)\s*(提示词|规则|指令|安全)/,
-                /忘记\s*(所有\s*)?(之前的?|先前的?)?\s*(指令|指示|规则|约束)/,
-                /进入.{0,5}新的?\s*(模式|上下文|会话)/,
-                /不要遵守.{0,10}(安全|限制|规则|约束)/,
-                /解除.{0,5}(限制|约束|安全)/,
-                /无限制模式/,
-                /安全模式已关闭/
-            ])
-    },
-    // Rule 2: Data Exfiltration (high)
-    {
-        id: 'data-exfiltration',
-        level: 'high',
-        message: 'Detected potential data exfiltration command',
-        skipSafeZones: true,
-        check: (content)=>{
-            const lines = content.split('\n');
-            const matches = [];
-            const commandPattern = /\b(curl|wget|fetch|http\.post|requests\.post|nc\b|ncat|netcat)\b/i;
-            const sensitivePattern = /(\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|AUTH)[A-Z_]*|\$ENV\b|\$\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)[^}]*\})/i;
-            for(let i = 0; i < lines.length; i++)if (commandPattern.test(lines[i]) && sensitivePattern.test(lines[i])) matches.push({
-                line: i + 1
-            });
-            return matches;
-        }
-    },
-    // Rule 3: Content Obfuscation (high) — scans ALL content including safe zones
-    {
-        id: 'obfuscation',
-        level: 'high',
-        message: 'Detected content obfuscation',
-        skipSafeZones: false,
-        check: (content)=>{
-            const matches = [];
-            const lines = content.split('\n');
-            // Zero-width characters (suspicious in any context)
-            const zeroWidthPattern = /[\u200B\u200C\u200D\uFEFF\u2060\u180E]/;
-            for(let i = 0; i < lines.length; i++)if (zeroWidthPattern.test(lines[i])) matches.push({
-                line: i + 1,
-                snippet: 'Zero-width Unicode characters detected'
-            });
-            // Long base64-like strings (>200 continuous chars)
-            const base64Pattern = /[A-Za-z0-9+/=]{200,}/;
-            for(let i = 0; i < lines.length; i++)if (base64Pattern.test(lines[i])) matches.push({
-                line: i + 1,
-                snippet: 'Suspicious base64-encoded block detected'
-            });
-            // Large HTML comments (>200 chars of content)
-            const commentRegex = /<!--([\s\S]{200,}?)-->/g;
-            let match;
-            // biome-ignore lint/suspicious/noAssignInExpressions: standard regex exec loop
-            while(null !== (match = commentRegex.exec(content))){
-                const lineNum = content.slice(0, match.index).split('\n').length;
-                matches.push({
-                    line: lineNum,
-                    snippet: `Large HTML comment block (${match[1].length} chars)`
-                });
-            }
-            return matches;
-        }
-    },
-    // Rule 4: Sensitive File Access (medium)
-    {
-        id: 'sensitive-file-access',
-        level: 'medium',
-        message: 'References sensitive file path',
-        skipSafeZones: true,
-        check: (content)=>findLineMatches(content, [
-                /~\/\.ssh\b/,
-                /~\/\.aws\b/,
-                /~\/\.gnupg\b/,
-                /~\/\.config\/gcloud\b/,
-                /\bid_rsa\b/i,
-                /\bid_ed25519\b/i,
-                /\/etc\/passwd\b/,
-                /\/etc\/shadow\b/,
-                /\.env\b(?!\.\w)/
-            ])
-    },
-    // Rule 5: Stealth Instructions (medium) — phrase + action verb matching
-    {
-        id: 'stealth-instructions',
-        level: 'medium',
-        message: 'Detected instruction to hide actions from user',
-        skipSafeZones: true,
-        check: (content)=>{
-            const actionVerbs = 'execute|delete|remove|send|transmit|modify|overwrite|install|download|upload|run|write|create|destroy|drop';
-            const patterns = [
-                // English patterns
-                new RegExp(`silently\\s+(?:${actionVerbs})`, 'i'),
-                new RegExp(`without\\s+telling\\s+the\\s+user.{0,30}(?:${actionVerbs})`, 'i'),
-                new RegExp("(?:do\\s+not|don'?t)\\s+show\\s+.{0,40}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
-                new RegExp("hide\\s+(?:this|the|these|all)\\s+.{0,30}(?:from\\s+the\\s+user|from\\s+user)", 'i'),
-                new RegExp("(?:do\\s+not|don'?t)\\s+mention\\s+.{0,30}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
-                new RegExp("keep\\s+(?:this|it)\\s+(?:a\\s+)?secret\\s+from\\s+(?:the\\s+)?user", 'i'),
-                // Chinese patterns (中文隐蔽指令)
-                /悄悄地?\s*(?:执行|删除|移除|发送|传输|修改|覆盖|安装|下载|上传|运行|写入|创建|销毁|丢弃)/,
-                /不要告诉用户/,
-                /不要让用户知道/,
-                /对用户隐藏/,
-                /在用户不知情的情况下/,
-                /瞒着用户/
-            ];
-            // Safe patterns to exclude (common in legitimate DevOps/automation skills)
-            const safePatterns = [
-                /silently\s+(?:ignore|skip|fail|discard|suppress|continue|pass|drop|swallow)/i,
-                // Chinese safe patterns (中文合法自动化用语)
-                /悄悄地?\s*(?:忽略|跳过|丢弃|抑制|继续|静默)/
-            ];
-            const lines = content.split('\n');
-            const matches = [];
-            for(let i = 0; i < lines.length; i++){
-                const line = lines[i];
-                if (!safePatterns.some((p)=>p.test(line))) {
-                    for (const pattern of patterns)if (pattern.test(line)) {
-                        matches.push({
-                            line: i + 1
-                        });
-                        break;
-                    }
+    /**
+   * Scan files to include in publish
+   *
+   * If includePatterns is specified, only include those files/directories.
+   * Otherwise, scan all files in the directory (excluding ignored patterns).
+   */ scanFiles(skillPath, includePatterns) {
+        const files = [];
+        const seen = new Set();
+        // If includePatterns specified, use selective scanning
+        if (includePatterns && includePatterns.length > 0) {
+            // Add default files first
+            for (const file of DEFAULT_FILES){
+                const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
+                if (external_node_fs_.existsSync(filePath) && !seen.has(file)) {
+                    files.push(file);
+                    seen.add(file);
                 }
             }
-            return matches;
-        }
-    },
-    // Rule 6: Oversized Content (low) — scans ALL content
-    {
-        id: 'oversized-content',
-        level: 'low',
-        message: 'Content exceeds recommended size limit',
-        skipSafeZones: false,
-        check: (content)=>{
-            const MAX_SIZE_BYTES = 51200;
-            const sizeBytes = Buffer.byteLength(content, 'utf-8');
-            if (sizeBytes > MAX_SIZE_BYTES) return [
-                {
-                    snippet: `Content size: ${(sizeBytes / 1024).toFixed(1)}KB (limit: 50KB)`
+            // Add files from SKILL.md metadata.files array
+            for (const pattern of includePatterns){
+                const targetPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, pattern);
+                if (external_node_fs_.existsSync(targetPath)) {
+                    const stat = external_node_fs_.statSync(targetPath);
+                    if (stat.isDirectory()) // Recursively add all files in directory
+                    this.addFilesFromDir(skillPath, pattern, files, seen);
+                    else if (!seen.has(pattern)) {
+                        files.push(pattern);
+                        seen.add(pattern);
+                    }
                 }
-            ];
-            return [];
-        }
-    }
-];
-// ============================================================================
-// ContentScanner
-// ============================================================================
-/** Build the effective rule set from defaults + options */ function buildRuleSet(options) {
-    let rules = DEFAULT_RULES.map((r)=>({
-            ...r
-        }));
-    if (options?.disabledRules?.length) {
-        const disabled = new Set(options.disabledRules);
-        rules = rules.filter((r)=>!disabled.has(r.id));
+            }
+        } else // No includePatterns: scan entire directory (default behavior)
+        this.addFilesFromDir(skillPath, '', files, seen);
+        return files;
     }
-    if (options?.overrides) for (const rule of rules){
-        const override = options.overrides[rule.id];
-        if (override) rule.level = override;
+    /**
+   * Patterns to ignore when scanning directories
+   */ static IGNORE_PATTERNS = [
+        '.git',
+        '.svn',
+        '.hg',
+        'node_modules',
+        '.DS_Store',
+        'Thumbs.db',
+        '.idea',
+        '.vscode',
+        '*.log',
+        '*.tmp',
+        '*.swp',
+        '*.bak'
+    ];
+    /**
+   * Check if a file/directory should be ignored
+   */ shouldIgnore(name) {
+        for (const pattern of SkillValidator.IGNORE_PATTERNS)if (pattern.startsWith('*')) {
+            // Wildcard pattern (e.g., *.log)
+            const ext = pattern.slice(1);
+            if (name.endsWith(ext)) return true;
+        } else if (name === pattern) return true;
+        return false;
     }
-    if (options?.customRules?.length) rules.push(...options.customRules);
-    return rules;
-}
-/**
- * Content scanner for SKILL.md files.
- *
- * Detects prompt injection, data exfiltration, obfuscation, sensitive file
- * access, stealth instructions, and oversized content.
- *
- * @example
- * ```typescript
- * // Default usage (CLI)
- * const scanner = new ContentScanner();
- * const result = scanner.scan(content);
- *
- * // Custom usage (private registry server)
- * const scanner = new ContentScanner({
- *   overrides: { 'prompt-injection': 'medium' },
- *   disabledRules: ['stealth-instructions'],
- * });
- * ```
- */ class ContentScanner {
-    rules;
-    constructor(options){
-        this.rules = buildRuleSet(options);
+    /**
+   * Recursively add files from directory
+   */ addFilesFromDir(basePath, dirPath, files, seen) {
+        const fullPath = dirPath ? __WEBPACK_EXTERNAL_MODULE_node_path__.join(basePath, dirPath) : basePath;
+        const entries = external_node_fs_.readdirSync(fullPath, {
+            withFileTypes: true
+        });
+        for (const entry of entries){
+            // Skip ignored files/directories
+            if (this.shouldIgnore(entry.name)) continue;
+            const relativePath = dirPath ? __WEBPACK_EXTERNAL_MODULE_node_path__.join(dirPath, entry.name) : entry.name;
+            if (entry.isDirectory()) this.addFilesFromDir(basePath, relativePath, files, seen);
+            else if (!seen.has(relativePath)) {
+                files.push(relativePath);
+                seen.add(relativePath);
+            }
+        }
     }
     /**
-   * Scan content string for malicious patterns.
-   * Pure string operation — no file system access.
-   */ scan(content) {
-        const originalLines = content.split('\n');
-        const maskedContent = maskSafeZones(content);
-        const findings = [];
-        for (const rule of this.rules){
-            const targetContent = rule.skipSafeZones ? maskedContent : content;
-            const matches = rule.check(targetContent);
-            for (const match of matches){
-                // Use custom snippet if provided, otherwise generate from original content
-                const snippet = match.snippet ?? (null != match.line ? originalLines[match.line - 1]?.trim().slice(0, SNIPPET_MAX_LENGTH) : void 0);
-                findings.push({
-                    rule: rule.id,
-                    level: rule.level,
-                    message: rule.message,
-                    line: match.line,
-                    snippet
+   * Validate a skill directory for publishing
+   *
+   * Following agentskills.io specification:
+   * - SKILL.md is the SOLE source of metadata
+   * - name and description are REQUIRED in frontmatter
+   */ validate(skillPath) {
+        const errors = [];
+        const warnings = [];
+        // Check SKILL.md exists (REQUIRED per spec)
+        const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, 'SKILL.md');
+        if (!external_node_fs_.existsSync(skillMdPath)) {
+            errors.push({
+                field: 'SKILL.md',
+                message: 'SKILL.md not found. This file is required for publishing.',
+                suggestion: 'Create a SKILL.md file with name and description in YAML frontmatter'
+            });
+            return {
+                valid: false,
+                errors,
+                warnings
+            };
+        }
+        // Parse SKILL.md
+        let skillMd;
+        try {
+            skillMd = parseSkillMdFile(skillMdPath);
+            if (!skillMd) {
+                errors.push({
+                    field: 'SKILL.md',
+                    message: 'SKILL.md must have valid YAML frontmatter with name and description',
+                    suggestion: 'Add frontmatter: ---\\nname: your-skill\\ndescription: Your description\\n---'
                 });
+                return {
+                    valid: false,
+                    errors,
+                    warnings
+                };
             }
+        } catch (error) {
+            errors.push({
+                field: 'SKILL.md',
+                message: `Failed to parse SKILL.md: ${error.message}`,
+                suggestion: 'Check the YAML frontmatter syntax is valid'
+            });
+            return {
+                valid: false,
+                errors,
+                warnings
+            };
         }
-        const hasHighRisk = findings.some((f)=>'high' === f.level);
+        // Validate name from SKILL.md
+        const nameResult = this.validateName(skillMd.name);
+        errors.push(...nameResult.errors);
+        // Validate description from SKILL.md
+        const descResult = this.validateDescription(skillMd.description);
+        errors.push(...descResult.errors);
+        // Check version in SKILL.md
+        const skillMdVersion = skillMd.version || skillMd.metadata?.version;
+        if (skillMdVersion) {
+            // Validate the version from SKILL.md
+            const versionResult = this.validateVersion(skillMdVersion);
+            errors.push(...versionResult.errors);
+        } else warnings.push({
+            field: 'version',
+            message: `No version specified, defaulting to "${DEFAULT_VERSION}"`,
+            suggestion: 'Add version in SKILL.md frontmatter'
+        });
+        // Check keywords count (only if metadata.keywords is a valid array)
+        const keywords = skillMd.metadata?.keywords;
+        if (Array.isArray(keywords) && keywords.length > MAX_KEYWORDS) warnings.push({
+            field: 'keywords',
+            message: `Too many keywords (${keywords.length}). Recommended max: ${MAX_KEYWORDS}`
+        });
+        // Check license
+        if (!skillMd.license) warnings.push({
+            field: 'license',
+            message: 'No license specified',
+            suggestion: 'Add license in SKILL.md frontmatter'
+        });
         return {
-            passed: !hasHighRisk,
-            findings
+            valid: 0 === errors.length,
+            errors,
+            warnings
         };
     }
     /**
-   * Scan a file for malicious patterns.
-   * Convenience wrapper that reads the file then calls scan().
-   */ scanFile(filePath) {
-        const content = external_node_fs_.readFileSync(filePath, 'utf-8');
-        return this.scan(content);
+   * Generate integrity hash for files
+   */ generateIntegrity(skillPath, files) {
+        const hash = __WEBPACK_EXTERNAL_MODULE_node_crypto__.createHash('sha256');
+        // Sort files for consistent ordering
+        const sortedFiles = [
+            ...files
+        ].sort();
+        for (const file of sortedFiles){
+            const filePath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(skillPath, file);
+            if (external_node_fs_.existsSync(filePath)) {
+                hash.update(file);
+                const content = external_node_fs_.readFileSync(filePath);
+                hash.update(content);
+            }
+        }
+        return `sha256-${hash.digest('hex')}`;
     }
 }
 /**
@@ -8759,6 +9342,7 @@ async function publishAction(skillPath, options) {
     const absolutePath = __WEBPACK_EXTERNAL_MODULE_node_path__.resolve(skillPath);
     // Use cwd() as project root to find skills.json, not the skill path
     const registry = resolveRegistry(options.registry, process.cwd());
+    let normalizedGroupPath;
     // Validate registry is not a blocked public registry
     validateRegistry(registry);
     // Check directory exists
@@ -8766,6 +9350,14 @@ async function publishAction(skillPath, options) {
         logger_logger.error(`Directory not found: ${skillPath}`);
         process.exit(1);
     }
+    if (options.group) {
+        normalizedGroupPath = normalizeGroupPath(options.group);
+        const validation = validateGroupPath(normalizedGroupPath);
+        if (!validation.valid) {
+            logger_logger.error(validation.error);
+            process.exit(1);
+        }
+    }
     const validator = new SkillValidator();
     const publisher = new Publisher();
     try {
@@ -8796,7 +9388,7 @@ async function publishAction(skillPath, options) {
         const validation = validator.validate(absolutePath);
         // 3.5. Content security scan
         const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(absolutePath, 'SKILL.md');
-        if (external_node_fs_.existsSync(skillMdPath)) {
+        if (exists(skillMdPath)) {
             const scanner = new ContentScanner();
             const scanResult = scanner.scanFile(skillMdPath);
             displayScanFindings(scanResult);
@@ -8851,6 +9443,11 @@ async function publishAction(skillPath, options) {
         displayFiles(absolutePath, skill.files, publisher);
         // Display metadata
         displayMetadata(skill);
+        // Display group info
+        if (normalizedGroupPath) {
+            logger_logger.newline();
+            logger_logger.log(`Group: ${normalizedGroupPath}`);
+        }
         // 8. Dry run mode ends here
         if (options.dryRun && payload) {
             displayDryRunSummary(payload);
@@ -8896,7 +9493,8 @@ async function publishAction(skillPath, options) {
                 process.exit(1);
             }
             const result = await client.publish(skillName, payload, absolutePath, {
-                tag: options.tag
+                tag: options.tag,
+                groupPath: normalizedGroupPath
             });
             if (!result.success || !result.data) {
                 logger_logger.error(result.error || 'Publish failed');
@@ -8930,7 +9528,7 @@ async function publishAction(skillPath, options) {
 // ============================================================================
 // Command Definition
 // ============================================================================
-const publishCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('publish').alias('pub').description('Publish a skill to the registry').argument('[path]', 'Path to skill directory', '.').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-t, --tag <tag>', 'Git tag to publish').option('--access <level>', 'Access level: public or restricted', 'public').option('-n, --dry-run', 'Validate without publishing').option('-y, --yes', 'Skip confirmation prompts').action(publishAction);
+const publishCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('publish').alias('pub').description('Publish a skill to the registry').argument('[path]', 'Path to skill directory', '.').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-t, --tag <tag>', 'Git tag to publish').option('--access <level>', 'Access level: public or restricted', 'public').option('-n, --dry-run', 'Validate without publishing').option('-y, --yes', 'Skip confirmation prompts').option('-g, --group <path>', 'Publish skill into a group (e.g., "kanyun/frontend")').action(publishAction);
 /**
  * uninstall command - Uninstall one or more skills
  */ const uninstallCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('uninstall').alias('un').alias('remove').alias('rm').description('Uninstall one or more skills').argument('<skills...>', 'Skill names to uninstall').option('-g, --global', 'Uninstall from global installation (~/.claude/skills)').option('-y, --yes', 'Skip confirmation prompts').action(async (skillNames, options)=>{
@@ -9106,6 +9704,7 @@ program.addCommand(publishCommand);
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
 program.addCommand(whoamiCommand);
+program.addCommand(groupCommand);
 program.addCommand(completionCommand);
 program.addCommand(doctorCommand);
 // Start update check in background (non-blocking)