reskill 1.16.0 → 1.17.1

package/dist/cli/index.js

@@ -3473,6 +3473,7 @@ class RegistryClient {
         formData.append('metadata', JSON.stringify(metadata));
         if (payload.skillMd?.allowedTools) formData.append('allowed_tools', payload.skillMd.allowedTools.join(' '));
         if (options.tag) formData.append('tag', options.tag);
+        if (options.groupPath) formData.append('group_path', options.groupPath);
         // Append tarball as Blob
         const tarballBlob = new Blob([
             tarball
@@ -3490,6 +3491,186 @@ class RegistryClient {
         if (!response.ok) throw new RegistryError(data.error || `Publish failed: ${response.status}`, response.status, data);
         return data;
     }
+    // ============================================================================
+    // Group Methods
+    // ============================================================================
+    /**
+   * Resolve a human-readable group path to its details.
+   *
+   * @param groupPath - Human-readable path (e.g., "kanyun/frontend")
+   * @returns Group detail with current_user_role if authenticated
+   * @throws RegistryError if not found or request failed
+   */ async resolveGroup(groupPath) {
+        const params = new URLSearchParams({
+            path: groupPath
+        });
+        const url = `${this.getApiBase()}/skill-groups/resolve?${params.toString()}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Group not found: ${groupPath}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * List groups visible to the current user.
+   *
+   * @param options - Filter options (parent_id, visibility)
+   * @returns Array of groups
+   */ async listGroups(options = {}) {
+        const params = new URLSearchParams();
+        if (options.parentId) params.set('parent_id', options.parentId);
+        if (options.visibility) params.set('visibility', options.visibility);
+        if (options.flat) params.set('flat', 'true');
+        const qs = params.toString();
+        const url = `${this.getApiBase()}/skill-groups${qs ? `?${qs}` : ''}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to list groups: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Create a new skill group.
+   *
+   * @param input - Group creation parameters
+   * @returns Created group
+   */ async createGroup(input) {
+        const url = `${this.getApiBase()}/skill-groups`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify(input)
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to create group: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Delete a skill group.
+   *
+   * @param groupId - Group UUID
+   * @param dryRun - If true, only preview what would be deleted
+   * @returns Deletion result (affected skills count in dry-run mode)
+   */ async deleteGroup(groupId, dryRun = false) {
+        const params = dryRun ? '?dry_run=true' : '';
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}${params}`;
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to delete group: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * List members of a group.
+   *
+   * @param groupId - Group UUID
+   * @returns Array of members
+   */ async listGroupMembers(groupId) {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to list members: ${response.status}`, response.status, data);
+        }
+        const body = await response.json();
+        return body.data;
+    }
+    /**
+   * Add members to a group.
+   *
+   * @param groupId - Group UUID
+   * @param userIds - Array of user IDs to add
+   * @param role - Role to assign (defaults to 'developer')
+   */ async addGroupMembers(groupId, userIds, role = 'developer') {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({
+                user_ids: userIds,
+                role
+            })
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to add members: ${response.status}`, response.status, data);
+        }
+    }
+    /**
+   * Remove a member from a group.
+   *
+   * @param groupId - Group UUID
+   * @param userId - User ID to remove
+   */ async removeGroupMember(groupId, userId) {
+        const params = new URLSearchParams({
+            user_id: userId
+        });
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members?${params.toString()}`;
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: this.getAuthHeaders()
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to remove member: ${response.status}`, response.status, data);
+        }
+    }
+    /**
+   * Update a member's role in a group.
+   *
+   * @param groupId - Group UUID
+   * @param userId - User ID to update
+   * @param role - New role to assign
+   */ async updateGroupMemberRole(groupId, userId, role) {
+        const encodedGroupId = encodeURIComponent(groupId);
+        const url = `${this.getApiBase()}/skill-groups/${encodedGroupId}/members`;
+        const response = await fetch(url, {
+            method: 'PATCH',
+            headers: {
+                ...this.getAuthHeaders(),
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({
+                user_id: userId,
+                role
+            })
+        });
+        if (!response.ok) {
+            const data = await response.json();
+            throw new RegistryError(data.error || `Failed to update member role: ${response.status}`, response.status, data);
+        }
+    }
 }
 /**
  * Tarball Extractor (Step 3.6)
@@ -4784,15 +4965,15 @@ class RegistryResolver {
     /**
    * Install a web-published skill.
    *
-   * Web-published skills do not support versioning. Branches to different
+   * Web-published skills (except local) do not support versioning. Branches to different
    * installation logic based on source_type:
    * - github/gitlab: reuses installToAgentsFromGit
    * - oss_url/custom_url: reuses installToAgentsFromHttp
    * - local: downloads tarball via Registry API
    */ async installFromWebPublished(skillInfo, parsed, targetAgents, options = {}) {
         const { source_type, source_url } = skillInfo;
-        // Web-published skills do not support version specifiers
-        if (parsed.version && 'latest' !== parsed.version) throw new Error(`Version specifier not supported for web-published skills.\n'${parsed.fullName}' was published via web and does not support versioning.\nUse: reskill install ${parsed.fullName}`);
+        // Web-published skills (except local) do not support version specifiers
+        if ('local' !== source_type && parsed.version && 'latest' !== parsed.version) throw new Error(`Version specifier not supported for web-published skills.\n'${parsed.fullName}' was published via web and does not support versioning.\nUse: reskill install ${parsed.fullName}`);
         if (!source_url) throw new Error(`Missing source_url for web-published skill: ${parsed.fullName}`);
         logger_logger["package"](`Installing ${parsed.fullName} from ${source_type} source...`);
         // Build registry context so downstream methods use the registry name
@@ -4883,12 +5064,13 @@ class RegistryResolver {
         const { save = true, mode = 'symlink' } = options;
         const registryUrl = await this.resolveRegistryUrl(parsed.fullName, options.registry);
         const shortName = getShortName(parsed.fullName);
-        const version = 'latest';
-        // Download tarball via RegistryClient (handles auth + 302 redirect to signed URL)
+        // Resolve version via dist-tags (supports @latest, @1.0.0, etc.)
         const client = new RegistryClient({
             registry: registryUrl,
             token: options.token
         });
+        const version = await client.resolveVersion(parsed.fullName, parsed.version);
+        // Download tarball via RegistryClient (handles auth + 302 redirect to signed URL)
         const { tarball } = await client.downloadSkill(parsed.fullName, version);
         logger_logger["package"](`Installing ${shortName} from ${registryUrl} to ${targetAgents.length} agent(s)...`);
         // Extract tarball to temp directory (clean stale files first)
@@ -6419,6 +6601,406 @@ class AuthManager {
 // Command Definition
 // ============================================================================
 const findCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('find').alias('search').description('Search for skills in the registry').argument('<query>', 'Search query').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-l, --limit <n>', 'Maximum number of results', '10').option('-j, --json', 'Output as JSON').action(findAction);
+/**
+ * Group path utilities — normalization, slug generation, and validation.
+ *
+ * Shared by the `group` and `publish` CLI commands.
+ */ const SLUG_REGEX = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+const MAX_GROUP_DEPTH = 3;
+const MAX_SEGMENT_LENGTH = 64;
+/**
+ * Normalize a group path for API usage.
+ *
+ * Rules from spec §13.2:
+ * - Strip leading/trailing slashes and whitespace
+ * - Collapse consecutive slashes
+ * - Lowercase
+ */ function normalizeGroupPath(raw) {
+    return raw.trim().replace(/\/+/g, '/').replace(/^\/|\/$/g, '').toLowerCase();
+}
+/**
+ * Generate a URL-safe slug from a human-readable name.
+ *
+ * Spec §13.4:
+ * - Lowercase, trim, replace spaces/underscores with hyphens
+ * - Strip non-alphanumeric characters (except hyphens)
+ * - Collapse consecutive hyphens, strip leading/trailing hyphens
+ * - Truncate to MAX_SEGMENT_LENGTH characters
+ */ function generateSlug(name) {
+    return name.toLowerCase().trim().replace(/[\s_]+/g, '-').replace(/[^a-z0-9-]/g, '').replace(/-+/g, '-').replace(/^-|-$/g, '').slice(0, MAX_SEGMENT_LENGTH).replace(/-$/g, '');
+}
+/**
+ * Validate a normalized group path.
+ *
+ * Spec §13.2:
+ * - Segment slug must match SLUG_REGEX
+ * - Segment length <= 64
+ * - Max depth <= 3
+ */ function validateGroupPath(path) {
+    if (!path) return {
+        valid: false,
+        error: 'Group path cannot be empty'
+    };
+    const segments = path.split('/');
+    if (segments.length > MAX_GROUP_DEPTH) return {
+        valid: false,
+        error: `Group path depth cannot exceed ${MAX_GROUP_DEPTH} segments`
+    };
+    for (const segment of segments){
+        if (segment.length > MAX_SEGMENT_LENGTH) return {
+            valid: false,
+            error: `Group path segment "${segment}" exceeds ${MAX_SEGMENT_LENGTH} characters`
+        };
+        if (!SLUG_REGEX.test(segment)) return {
+            valid: false,
+            error: `Invalid group path segment "${segment}". Segments must match ${SLUG_REGEX}`
+        };
+    }
+    return {
+        valid: true
+    };
+}
+/**
+ * group command - Manage skill groups
+ *
+ * Provides subcommands for listing, creating, inspecting, and deleting
+ * skill groups, as well as managing group membership.
+ *
+ * Usage:
+ *   reskill group list                           # List visible groups
+ *   reskill group create <name>                  # Create a group
+ *   reskill group info <path>                    # Show group details
+ *   reskill group delete <path>                  # Delete a group
+ *   reskill group member list <path>             # List members
+ *   reskill group member add <path> <users...>   # Add members
+ *   reskill group member remove <path> <user>    # Remove a member
+ *   reskill group member role <path> <user> <role> # Change member role
+ */ // ============================================================================
+// Constants
+// ============================================================================
+const VALID_ROLES = [
+    'owner',
+    'maintainer',
+    'developer'
+];
+/**
+ * Validate that a role string is one of the allowed values.
+ */ function validateRole(role) {
+    return VALID_ROLES.includes(role);
+}
+function assertValidGroupPath(path) {
+    const validation = validateGroupPath(path);
+    if (!validation.valid) {
+        logger_logger.error(validation.error);
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Client Factory
+// ============================================================================
+function createClient(registry) {
+    const authManager = new AuthManager();
+    const token = authManager.getToken(registry);
+    if (!token) {
+        logger_logger.error('Authentication required');
+        logger_logger.newline();
+        logger_logger.log("Run 'reskill login' to authenticate.");
+        process.exit(1);
+    }
+    return new RegistryClient({
+        registry,
+        token
+    });
+}
+// ============================================================================
+// Display Helpers
+// ============================================================================
+function getGroupIndentLevel(group) {
+    if ('number' == typeof group.level && Number.isFinite(group.level)) return Math.max(0, group.level - 1);
+    return Math.max(0, group.path.split('/').length - 1);
+}
+function displayGroupList(groups, json, tree = false) {
+    if (json) {
+        console.log(JSON.stringify(groups, null, 2));
+        return;
+    }
+    if (0 === groups.length) {
+        logger_logger.warn('No groups found');
+        return;
+    }
+    logger_logger.newline();
+    logger_logger.log(`Found ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(String(groups.length))} group${1 === groups.length ? '' : 's'}:`);
+    logger_logger.newline();
+    if (tree) {
+        const sortedGroups = [
+            ...groups
+        ].sort((a, b)=>a.path.localeCompare(b.path));
+        for (const group of sortedGroups){
+            const vis = 'private' === group.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow(' (private)') : '';
+            const desc = group.description ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(` - ${group.description}`) : '';
+            const indent = '  '.repeat(getGroupIndentLevel(group));
+            const nodeLabel = group.path.split('/').pop() || group.path;
+            logger_logger.log(`  ${indent}└─ ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold.cyan(nodeLabel)}${vis}${desc} ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(`(${group.path})`)}`);
+        }
+        logger_logger.newline();
+        return;
+    }
+    for (const group of groups){
+        const vis = 'private' === group.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow(' (private)') : '';
+        const desc = group.description ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(` - ${group.description}`) : '';
+        logger_logger.log(`  ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold.cyan(group.path)}${vis}${desc}`);
+        const meta = [];
+        if (void 0 !== group.skill_count) meta.push(`${group.skill_count} skill(s)`);
+        if (void 0 !== group.member_count) meta.push(`${group.member_count} member(s)`);
+        if (meta.length > 0) logger_logger.log(`    ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(meta.join(' · '))}`);
+    }
+    logger_logger.newline();
+}
+function displayGroupDetail(detail, json) {
+    if (json) {
+        console.log(JSON.stringify(detail, null, 2));
+        return;
+    }
+    logger_logger.newline();
+    logger_logger.log(`${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(detail.name)} ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].gray(`(${detail.path})`)}`);
+    if (detail.description) logger_logger.log(`  ${detail.description}`);
+    logger_logger.newline();
+    const vis = 'private' === detail.visibility ? __WEBPACK_EXTERNAL_MODULE_chalk__["default"].yellow('private') : __WEBPACK_EXTERNAL_MODULE_chalk__["default"].green('public');
+    logger_logger.log(`  Visibility:  ${vis}`);
+    logger_logger.log(`  Level:       ${detail.level}`);
+    if (void 0 !== detail.skill_count) logger_logger.log(`  Skills:      ${detail.skill_count}`);
+    if (void 0 !== detail.member_count) logger_logger.log(`  Members:     ${detail.member_count}`);
+    if (detail.current_user_role) logger_logger.log(`  Your role:   ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(detail.current_user_role)}`);
+    if (detail.children && detail.children.length > 0) {
+        logger_logger.newline();
+        logger_logger.log('  Sub groups:');
+        for (const child of detail.children)logger_logger.log(`    • ${child.path}`);
+    }
+    logger_logger.newline();
+}
+function displayMemberList(members, groupPath, json) {
+    if (json) {
+        console.log(JSON.stringify(members, null, 2));
+        return;
+    }
+    if (0 === members.length) {
+        logger_logger.warn(`No members in group "${groupPath}"`);
+        return;
+    }
+    logger_logger.newline();
+    logger_logger.log(`${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(String(members.length))} member${1 === members.length ? '' : 's'} in ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(groupPath)}:`);
+    logger_logger.newline();
+    for (const member of members){
+        const role = __WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(member.role);
+        const handle = member.handle || member.user_id;
+        logger_logger.log(`  ${handle}  ${role}`);
+    }
+    logger_logger.newline();
+}
+// ============================================================================
+// Subcommand Actions
+// ============================================================================
+async function listAction(options) {
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const groups = await client.listGroups({
+            flat: Boolean(options.tree)
+        });
+        displayGroupList(groups, options.json || false, Boolean(options.tree));
+    } catch (error) {
+        logger_logger.error(`Failed to list groups: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function createAction(name, options) {
+    const registry = resolveRegistry(options.registry);
+    const slug = generateSlug(name);
+    if (!slug) {
+        logger_logger.error('Name must contain at least one ASCII alphanumeric character to generate a valid slug');
+        process.exit(1);
+    }
+    if (!SLUG_REGEX.test(slug)) {
+        logger_logger.error(`Generated slug "${slug}" is invalid. Name must produce a slug matching ${SLUG_REGEX.source}`);
+        process.exit(1);
+    }
+    let parentId;
+    let client;
+    if (options.parent) {
+        const normalizedParent = normalizeGroupPath(options.parent);
+        assertValidGroupPath(normalizedParent);
+        client = createClient(registry);
+        try {
+            const parentGroup = await client.resolveGroup(normalizedParent);
+            parentId = parentGroup.id;
+        } catch (error) {
+            if (error instanceof RegistryError) logger_logger.error(`Parent group "${options.parent}" not found`);
+            else logger_logger.error(`Failed to resolve parent: ${error.message}`);
+            process.exit(1);
+        }
+    }
+    try {
+        const ensuredClient = client ?? createClient(registry);
+        const group = await ensuredClient.createGroup({
+            name,
+            slug,
+            description: options.description,
+            visibility: options.visibility,
+            parent_id: parentId
+        });
+        if (options.json) console.log(JSON.stringify(group, null, 2));
+        else {
+            logger_logger.newline();
+            logger_logger.success(`Group created: ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(group.path)}`);
+            logger_logger.log(`  ID:         ${group.id}`);
+            logger_logger.log(`  Visibility: ${group.visibility}`);
+            logger_logger.newline();
+        }
+    } catch (error) {
+        logger_logger.error(`Failed to create group: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function infoAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        displayGroupDetail(detail, options.json || false);
+    } catch (error) {
+        if (error instanceof RegistryError) {
+            if (404 === error.statusCode) logger_logger.error(`Group "${groupPath}" not found`);
+            else logger_logger.error(`Failed to get group info: ${error.message}`);
+        } else logger_logger.error(`Failed to get group info: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function deleteAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        if (options.dryRun) {
+            const result = await client.deleteGroup(detail.id, true);
+            logger_logger.newline();
+            logger_logger.log(`Dry run: deleting group "${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(groupPath)}"`);
+            if (void 0 !== result.affected_skills) logger_logger.log(`  Affected skills: ${result.affected_skills}`);
+            logger_logger.log('No changes made (--dry-run)');
+            logger_logger.newline();
+            return;
+        }
+        if (!options.yes) {
+            const { createInterface } = await import("node:readline");
+            const rl = createInterface({
+                input: process.stdin,
+                output: process.stdout
+            });
+            const answer = await new Promise((resolve)=>{
+                rl.question(`\n? Delete group "${groupPath}" and all its contents? (y/N) `, resolve);
+                rl.once('close', ()=>resolve(''));
+            });
+            rl.close();
+            if ('y' !== answer.trim().toLowerCase() && 'yes' !== answer.trim().toLowerCase()) {
+                logger_logger.log('Cancelled.');
+                return;
+            }
+        }
+        await client.deleteGroup(detail.id, false);
+        logger_logger.success(`Group "${groupPath}" deleted`);
+    } catch (error) {
+        if (error instanceof RegistryError) {
+            if (404 === error.statusCode) logger_logger.error(`Group "${groupPath}" not found`);
+            else logger_logger.error(`Failed to delete group: ${error.message}`);
+        } else logger_logger.error(`Failed to delete group: ${error.message}`);
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Member Subcommand Actions
+// ============================================================================
+async function memberListAction(groupPath, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        const members = await client.listGroupMembers(detail.id);
+        displayMemberList(members, groupPath, options.json || false);
+    } catch (error) {
+        logger_logger.error(`Failed to list members: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberAddAction(groupPath, userIds, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    const role = options.role || 'developer';
+    if (!validateRole(role)) {
+        logger_logger.error(`Invalid role "${role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        process.exit(1);
+    }
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.addGroupMembers(detail.id, userIds, role);
+        logger_logger.success(`Added ${userIds.length} member(s) to "${groupPath}" as ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(role)}`);
+    } catch (error) {
+        logger_logger.error(`Failed to add members: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberRemoveAction(groupPath, userId, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.removeGroupMember(detail.id, userId);
+        logger_logger.success(`Removed "${userId}" from "${groupPath}"`);
+    } catch (error) {
+        logger_logger.error(`Failed to remove member: ${error.message}`);
+        process.exit(1);
+    }
+}
+async function memberRoleAction(groupPath, userId, role, options) {
+    const normalized = normalizeGroupPath(groupPath);
+    assertValidGroupPath(normalized);
+    const registry = resolveRegistry(options.registry);
+    const client = createClient(registry);
+    if (!validateRole(role)) {
+        logger_logger.error(`Invalid role "${role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        process.exit(1);
+    }
+    try {
+        const detail = await client.resolveGroup(normalized);
+        await client.updateGroupMemberRole(detail.id, userId, role);
+        logger_logger.success(`Updated role of "${userId}" in "${groupPath}" to ${__WEBPACK_EXTERNAL_MODULE_chalk__["default"].bold(role)}`);
+    } catch (error) {
+        logger_logger.error(`Failed to update role: ${error.message}`);
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Command Definitions
+// ============================================================================
+const memberCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('member').description('Manage group members');
+memberCommand.command('list <path>').description('List members of a group').option('-r, --registry <url>', 'Registry URL').option('-j, --json', 'Output as JSON').action(memberListAction);
+memberCommand.command('add <path> <users...>').description('Add members to a group').option('-r, --registry <url>', 'Registry URL').option('--role <role>', 'Role to assign (owner|maintainer|developer)', 'developer').action(memberAddAction);
+memberCommand.command('remove <path> <user>').description('Remove a member from a group').option('-r, --registry <url>', 'Registry URL').action(memberRemoveAction);
+memberCommand.command('role <path> <user> <role>').description("Change a member's role").option('-r, --registry <url>', 'Registry URL').action(memberRoleAction);
+const groupCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('group').description('Manage skill groups');
+groupCommand.command('list').description('List visible groups').option('-r, --registry <url>', 'Registry URL').option('--tree', 'Render groups as a tree (requests flat group list)').option('-j, --json', 'Output as JSON').action(listAction);
+groupCommand.command('create <name>').description('Create a new group').option('-r, --registry <url>', 'Registry URL').option('-d, --description <text>', 'Group description').option('--visibility <level>', 'Visibility: public or private', 'public').option('--parent <path>', 'Parent group path (for sub groups)').option('-j, --json', 'Output as JSON').action(createAction);
+groupCommand.command('info <path>').description('Show group details').option('-r, --registry <url>', 'Registry URL').option('-j, --json', 'Output as JSON').action(infoAction);
+groupCommand.command('delete <path>').description('Delete a group').option('-r, --registry <url>', 'Registry URL').option('-n, --dry-run', 'Preview deletion without executing').option('-y, --yes', 'Skip confirmation').action(deleteAction);
+groupCommand.addCommand(memberCommand);
 /**
  * info command - Show skill details
  */ const infoCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('info').description('Show skill details').argument('<skill>', 'Skill name').option('-j, --json', 'Output as JSON').action((skillName, options)=>{
@@ -7650,6 +8232,7 @@ const SNIPPET_MAX_LENGTH = 120;
         }
     },
     // Rule 3: Content Obfuscation (high) — scans ALL content including safe zones
+    //   Zero-width chars and base64 are suspicious everywhere (even inside code blocks).
     {
         id: 'obfuscation',
         level: 'high',
@@ -7670,6 +8253,18 @@ const SNIPPET_MAX_LENGTH = 120;
                 line: i + 1,
                 snippet: 'Suspicious base64-encoded block detected'
             });
+            return matches;
+        }
+    },
+    // Rule 3b: Large HTML Comments (high) — respects safe zones (code blocks, etc.)
+    //   HTML comments inside fenced code blocks are normal code examples, not obfuscation.
+    {
+        id: 'obfuscation',
+        level: 'high',
+        message: 'Detected content obfuscation',
+        skipSafeZones: true,
+        check: (content)=>{
+            const matches = [];
             // Large HTML comments (>200 chars of content)
             const commentRegex = /<!--([\s\S]{200,}?)-->/g;
             let match;
@@ -8760,6 +9355,7 @@ async function publishAction(skillPath, options) {
     const absolutePath = __WEBPACK_EXTERNAL_MODULE_node_path__.resolve(skillPath);
     // Use cwd() as project root to find skills.json, not the skill path
     const registry = resolveRegistry(options.registry, process.cwd());
+    let normalizedGroupPath;
     // Validate registry is not a blocked public registry
     validateRegistry(registry);
     // Check directory exists
@@ -8767,6 +9363,14 @@ async function publishAction(skillPath, options) {
         logger_logger.error(`Directory not found: ${skillPath}`);
         process.exit(1);
     }
+    if (options.group) {
+        normalizedGroupPath = normalizeGroupPath(options.group);
+        const validation = validateGroupPath(normalizedGroupPath);
+        if (!validation.valid) {
+            logger_logger.error(validation.error);
+            process.exit(1);
+        }
+    }
     const validator = new SkillValidator();
     const publisher = new Publisher();
     try {
@@ -8852,6 +9456,11 @@ async function publishAction(skillPath, options) {
         displayFiles(absolutePath, skill.files, publisher);
         // Display metadata
         displayMetadata(skill);
+        // Display group info
+        if (normalizedGroupPath) {
+            logger_logger.newline();
+            logger_logger.log(`Group: ${normalizedGroupPath}`);
+        }
         // 8. Dry run mode ends here
         if (options.dryRun && payload) {
             displayDryRunSummary(payload);
@@ -8897,7 +9506,8 @@ async function publishAction(skillPath, options) {
                 process.exit(1);
             }
             const result = await client.publish(skillName, payload, absolutePath, {
-                tag: options.tag
+                tag: options.tag,
+                groupPath: normalizedGroupPath
             });
             if (!result.success || !result.data) {
                 logger_logger.error(result.error || 'Publish failed');
@@ -8931,7 +9541,7 @@ async function publishAction(skillPath, options) {
 // ============================================================================
 // Command Definition
 // ============================================================================
-const publishCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('publish').alias('pub').description('Publish a skill to the registry').argument('[path]', 'Path to skill directory', '.').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-t, --tag <tag>', 'Git tag to publish').option('--access <level>', 'Access level: public or restricted', 'public').option('-n, --dry-run', 'Validate without publishing').option('-y, --yes', 'Skip confirmation prompts').action(publishAction);
+const publishCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('publish').alias('pub').description('Publish a skill to the registry').argument('[path]', 'Path to skill directory', '.').option('-r, --registry <url>', 'Registry URL (or set RESKILL_REGISTRY env var, or defaults.publishRegistry in skills.json)').option('-t, --tag <tag>', 'Git tag to publish').option('--access <level>', 'Access level: public or restricted', 'public').option('-n, --dry-run', 'Validate without publishing').option('-y, --yes', 'Skip confirmation prompts').option('-g, --group <path>', 'Publish skill into a group (e.g., "kanyun/frontend")').action(publishAction);
 /**
  * uninstall command - Uninstall one or more skills
  */ const uninstallCommand = new __WEBPACK_EXTERNAL_MODULE_commander__.Command('uninstall').alias('un').alias('remove').alias('rm').description('Uninstall one or more skills').argument('<skills...>', 'Skill names to uninstall').option('-g, --global', 'Uninstall from global installation (~/.claude/skills)').option('-y, --yes', 'Skip confirmation prompts').action(async (skillNames, options)=>{
@@ -9107,6 +9717,7 @@ program.addCommand(publishCommand);
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
 program.addCommand(whoamiCommand);
+program.addCommand(groupCommand);
 program.addCommand(completionCommand);
 program.addCommand(doctorCommand);
 // Start update check in background (non-blocking)