skill-organizer 0.0.4 → 1.0.0

package/README.md

@@ -2,7 +2,7 @@
 
 This package installs the `skill-organizer` CLI by downloading the matching prebuilt binary from GitHub Releases.
 
-Agent-first install and onboarding instructions are documented in [`../../AGENTS_README.md`](../../AGENTS_README.md).
+Agent-first install and onboarding instructions are documented in [`../../../AGENTS_README.md`](../../../AGENTS_README.md).
 
 ## Install
 
@@ -19,6 +19,7 @@ skill-organizer --version
 ## Notes
 
 - The install script downloads a release artifact for your current OS and architecture.
+- The install script only downloads from `sergiocarracedo/skill-organizer` GitHub Releases.
 - The package version must match an existing GitHub release and its uploaded assets.
 - Installs with `--ignore-scripts` are not supported.
 

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "skill-organizer",
-  "version": "0.0.4",
+  "version": "1.0.0",
   "description": "Install the skill-organizer CLI from GitHub Releases",
   "license": "UNLICENSED",
   "homepage": "https://github.com/sergiocarracedo/skill-organizer",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/sergiocarracedo/skill-organizer.git",
-    "directory": "cli/packages/npm"
+    "directory": "packages/cli/packages/npm"
   },
   "bugs": {
     "url": "https://github.com/sergiocarracedo/skill-organizer/issues"

package/scripts/postinstall.js

@@ -10,10 +10,11 @@ const { spawn } = require("node:child_process");
 
 const pkg = require("../package.json");
 
-const owner = process.env.SKILL_ORGANIZER_GITHUB_OWNER || "sergiocarracedo";
-const repo = process.env.SKILL_ORGANIZER_GITHUB_REPO || "skill-organizer";
+const owner = "sergiocarracedo";
+const repo = "skill-organizer";
 const version = pkg.version;
 const tag = `v${version}`;
+const allowedRedirectHosts = new Set(["github.com", "release-assets.githubusercontent.com"]);
 const osMap = {
   linux: "Linux",
   darwin: "Darwin",
@@ -25,6 +26,11 @@ const archMap = {
 };
 
 async function main() {
+  if (isSourceCheckoutInstall()) {
+    console.log("Skipping binary download for source checkout install.");
+    return;
+  }
+
   const osName = osMap[process.platform];
   const archName = archMap[process.arch];
   if (!osName || !archName) {
@@ -69,12 +75,42 @@ async function main() {
   await fsp.rm(tmpDir, { recursive: true, force: true });
 }
 
+function isSourceCheckoutInstall() {
+  let current = path.resolve(__dirname, "..");
+
+  while (true) {
+    const manifestPath = path.join(current, "package.json");
+    if (fs.existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+        if (manifest.name === "skill-organizer-monorepo" && manifest.private === true) {
+          return true;
+        }
+      } catch {
+        return false;
+      }
+    }
+
+    const parent = path.dirname(current);
+    if (parent === current) {
+      return false;
+    }
+    current = parent;
+  }
+}
+
 function download(url, destination) {
   return new Promise((resolve, reject) => {
     https.get(url, (response) => {
       if (response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        const redirect = new URL(response.headers.location, url);
+        if (redirect.protocol !== "https:" || !allowedRedirectHosts.has(redirect.hostname)) {
+          reject(new Error(`refusing redirect to unexpected host: ${redirect.origin}`));
+          response.resume();
+          return;
+        }
         response.resume();
-        download(response.headers.location, destination).then(resolve, reject);
+        download(redirect.toString(), destination).then(resolve, reject);
         return;
       }