skillspp 0.2.0 → 1.3.0

package/dist/background-executor.js

@@ -0,0 +1,3895 @@
+// ../../packages/core/src/runtime/background-tasks.ts
+import fs13 from "node:fs";
+import os7 from "node:os";
+import path14 from "node:path";
+
+// ../../packages/core/src/runtime/agents.ts
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+var STANDARD_AGENTS = {
+  universal: {
+    displayName: "Universal",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".agents/skills",
+    installMarkers: [".agents"]
+  },
+  adal: {
+    displayName: "AdaL",
+    projectSkillsDir: ".adal/skills",
+    globalSkillsDir: ".adal/skills",
+    installMarkers: [".adal"]
+  },
+  antigravity: {
+    displayName: "Antigravity",
+    projectSkillsDir: ".agent/skills",
+    globalSkillsDir: ".gemini/antigravity/skills",
+    installMarkers: [".gemini/antigravity"]
+  },
+  augment: {
+    displayName: "Augment",
+    projectSkillsDir: ".augment/skills",
+    globalSkillsDir: ".augment/skills",
+    installMarkers: [".augment"]
+  },
+  "claude-code": {
+    displayName: "Claude Code",
+    projectSkillsDir: ".claude/skills",
+    globalSkillsDir: ".claude/skills",
+    installMarkers: [".claude"]
+  },
+  "cortex-code": {
+    displayName: "Cortex Code",
+    projectSkillsDir: ".cortex/skills",
+    globalSkillsDir: ".cortex/skills",
+    installMarkers: [".cortex"]
+  },
+  crush: {
+    displayName: "Crush",
+    projectSkillsDir: ".crush/skills",
+    globalSkillsDir: ".crush/skills",
+    installMarkers: [".crush"]
+  },
+  droid: {
+    displayName: "Droid",
+    projectSkillsDir: ".factory/skills",
+    globalSkillsDir: ".factory/skills",
+    installMarkers: [".factory"]
+  },
+  goose: {
+    displayName: "Goose",
+    projectSkillsDir: ".goose/skills",
+    globalSkillsDir: ".config/goose/skills",
+    installMarkers: [".config/goose"]
+  },
+  "iflow-cli": {
+    displayName: "iFlow CLI",
+    projectSkillsDir: ".iflow/skills",
+    globalSkillsDir: ".iflow/skills",
+    installMarkers: [".iflow"]
+  },
+  junie: {
+    displayName: "Junie",
+    projectSkillsDir: ".junie/skills",
+    globalSkillsDir: ".junie/skills",
+    installMarkers: [".junie"]
+  },
+  "kiro-cli": {
+    displayName: "Kiro CLI",
+    projectSkillsDir: ".kiro/skills",
+    globalSkillsDir: ".kiro/skills",
+    installMarkers: [".kiro"]
+  },
+  kode: {
+    displayName: "Kode",
+    projectSkillsDir: ".kode/skills",
+    globalSkillsDir: ".kode/skills",
+    installMarkers: [".kode"]
+  },
+  openclaw: {
+    displayName: "OpenClaw",
+    projectSkillsDir: "skills",
+    globalSkillsDir: ".openclaw/skills",
+    installMarkers: [".openclaw"]
+  },
+  openhands: {
+    displayName: "OpenHands",
+    projectSkillsDir: ".openhands/skills",
+    globalSkillsDir: ".openhands/skills",
+    installMarkers: [".openhands"]
+  },
+  "mistral-vibe": {
+    displayName: "Mistral Vibe",
+    projectSkillsDir: ".vibe/skills",
+    globalSkillsDir: ".vibe/skills",
+    installMarkers: [".vibe"]
+  },
+  neovate: {
+    displayName: "Neovate",
+    projectSkillsDir: ".neovate/skills",
+    globalSkillsDir: ".neovate/skills",
+    installMarkers: [".neovate"]
+  },
+  pochi: {
+    displayName: "Pochi",
+    projectSkillsDir: ".pochi/skills",
+    globalSkillsDir: ".pochi/skills",
+    installMarkers: [".pochi"]
+  },
+  qoder: {
+    displayName: "Qoder",
+    projectSkillsDir: ".qoder/skills",
+    globalSkillsDir: ".qoder/skills",
+    installMarkers: [".qoder"]
+  },
+  "qwen-code": {
+    displayName: "Qwen Code",
+    projectSkillsDir: ".qwen/skills",
+    globalSkillsDir: ".qwen/skills",
+    installMarkers: [".qwen"]
+  },
+  roo: {
+    displayName: "Roo Code",
+    projectSkillsDir: ".roo/skills",
+    globalSkillsDir: ".roo/skills",
+    installMarkers: [".roo"]
+  },
+  trae: {
+    displayName: "Trae",
+    projectSkillsDir: ".trae/skills",
+    globalSkillsDir: ".trae/skills",
+    installMarkers: [".trae"]
+  },
+  "trae-cn": {
+    displayName: "Trae CN",
+    projectSkillsDir: ".trae/skills",
+    globalSkillsDir: ".trae/skills",
+    installMarkers: [".trae"]
+  },
+  windsurf: {
+    displayName: "Windsurf",
+    projectSkillsDir: ".windsurf/skills",
+    globalSkillsDir: ".codeium/windsurf/skills",
+    installMarkers: [".windsurf", ".codeium/windsurf"]
+  },
+  zencoder: {
+    displayName: "Zencoder",
+    projectSkillsDir: ".zencoder/skills",
+    globalSkillsDir: ".zencoder/skills",
+    installMarkers: [".zencoder"]
+  },
+  continue: {
+    displayName: "Continue",
+    projectSkillsDir: ".continue/skills",
+    globalSkillsDir: ".continue/skills",
+    installMarkers: [".continue"]
+  },
+  codebuddy: {
+    displayName: "CodeBuddy",
+    projectSkillsDir: ".codebuddy/skills",
+    globalSkillsDir: ".codebuddy/skills",
+    installMarkers: [".codebuddy"]
+  },
+  "command-code": {
+    displayName: "Command Code",
+    projectSkillsDir: ".commandcode/skills",
+    globalSkillsDir: ".commandcode/skills",
+    installMarkers: [".commandcode"]
+  },
+  kilo: {
+    displayName: "Kilo Code",
+    projectSkillsDir: ".kilocode/skills",
+    globalSkillsDir: ".kilocode/skills",
+    installMarkers: [".kilocode"]
+  },
+  mcpjam: {
+    displayName: "MCPJam",
+    projectSkillsDir: ".mcpjam/skills",
+    globalSkillsDir: ".mcpjam/skills",
+    installMarkers: [".mcpjam"]
+  },
+  mux: {
+    displayName: "Mux",
+    projectSkillsDir: ".mux/skills",
+    globalSkillsDir: ".mux/skills",
+    installMarkers: [".mux"]
+  },
+  pi: {
+    displayName: "Pi",
+    projectSkillsDir: ".pi/skills",
+    globalSkillsDir: ".pi/agent/skills",
+    installMarkers: [".pi"]
+  },
+  replit: {
+    displayName: "Replit",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".config/agents/skills",
+    installMarkers: [".config/agents"]
+  }
+};
+var AGENTS = {
+  ...STANDARD_AGENTS,
+  codex: {
+    displayName: "Codex",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".codex/skills",
+    installMarkers: [".codex"]
+  },
+  cursor: {
+    displayName: "Cursor",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".cursor/skills",
+    installMarkers: [".cursor"]
+  },
+  "gemini-cli": {
+    displayName: "Gemini CLI",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".gemini/skills",
+    installMarkers: [".gemini"]
+  },
+  "github-copilot": {
+    displayName: "GitHub Copilot",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".copilot/skills",
+    installMarkers: [".copilot"]
+  },
+  amp: {
+    displayName: "Amp",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".config/agents/skills",
+    installMarkers: [".config/agents"]
+  },
+  opencode: {
+    displayName: "OpenCode",
+    projectSkillsDir: ".agents/skills",
+    globalSkillsDir: ".config/opencode/skills",
+    installMarkers: [".config/opencode"]
+  },
+  windsurf: {
+    displayName: "Windsurf",
+    projectSkillsDir: ".windsurf/skills",
+    globalSkillsDir: ".codeium/windsurf/skills",
+    installMarkers: [".windsurf", ".codeium/windsurf"]
+  },
+  cline: {
+    displayName: "Cline",
+    projectSkillsDir: ".cline/skills",
+    globalSkillsDir: ".cline/skills",
+    installMarkers: [".cline"]
+  }
+};
+var ALL_AGENTS = Object.keys(AGENTS);
+function isAgent(value) {
+  return Object.prototype.hasOwnProperty.call(AGENTS, value);
+}
+function resolveAgents(input) {
+  if (!input || input.length === 0) {
+    const detected = detectInstalledAgents();
+    return detected.length > 0 ? detected : ["opencode", "codex"];
+  }
+  if (input.includes("*")) {
+    const detected = detectInstalledAgents();
+    return detected.length > 0 ? detected : ALL_AGENTS;
+  }
+  const out = [];
+  for (const value of input) {
+    if (!isAgent(value)) {
+      throw new Error(`Unknown agent: ${value}`);
+    }
+    if (!out.includes(value)) {
+      out.push(value);
+    }
+  }
+  return out;
+}
+function getAgentSkillsDir(agent, globalInstall, cwd) {
+  const relative = globalInstall ? AGENTS[agent].globalSkillsDir : AGENTS[agent].projectSkillsDir;
+  const base = globalInstall ? os.homedir() : cwd;
+  return path.join(base, relative);
+}
+function detectInstalledAgents(cwd = process.cwd()) {
+  const found = [];
+  for (const agent of Object.keys(AGENTS)) {
+    if (isAgentInstalled(agent, cwd)) {
+      found.push(agent);
+    }
+  }
+  return found;
+}
+function filterInstalledAgents(agents, cwd = process.cwd()) {
+  return agents.filter((agent) => isAgentInstalled(agent, cwd));
+}
+function isAgentInstalled(agent, cwd) {
+  const info = AGENTS[agent];
+  const home = os.homedir();
+  if (info.installMarkers) {
+    for (const marker of info.installMarkers) {
+      if (fs.existsSync(path.join(home, marker))) {
+        return true;
+      }
+    }
+  }
+  const projectSkillsDir = getAgentSkillsDir(agent, false, cwd);
+  if (info.projectSkillsDir !== ".agents/skills" && fs.existsSync(projectSkillsDir)) {
+    return true;
+  }
+  const globalSkillsDir = getAgentSkillsDir(agent, true, cwd);
+  if (info.globalSkillsDir !== ".config/agents/skills" && info.globalSkillsDir !== ".agents/skills" && fs.existsSync(globalSkillsDir)) {
+    return true;
+  }
+  return false;
+}
+
+// ../../packages/core/src/runtime/check-analysis.ts
+import fs6 from "node:fs";
+import path7 from "node:path";
+
+// ../../packages/core/src/sources/skills.ts
+import fs2 from "node:fs";
+import os2 from "node:os";
+import path2 from "node:path";
+import matter from "gray-matter";
+var SKIP_DIRS = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", "__pycache__"]);
+function resolveSourceLabel(parsedSource) {
+  switch (parsedSource.type) {
+    case "local":
+      return parsedSource.localPath;
+    case "github":
+    case "git":
+      return parsedSource.repoUrl;
+    case "well-known":
+    case "catalog":
+      return parsedSource.url;
+    default:
+      return "";
+  }
+}
+function stageRemoteSkillFilesToTempDir(files, options) {
+  const tmp = fs2.mkdtempSync(path2.join(os2.tmpdir(), options?.prefix || "skillspp-remote-"));
+  try {
+    for (const [relativePath, content] of files.entries()) {
+      const resolved = path2.resolve(tmp, relativePath);
+      const rel = path2.relative(tmp, resolved);
+      if (!rel || rel.startsWith("..") || path2.isAbsolute(rel)) {
+        throw new Error(`Unsafe remote skill file path: ${relativePath}`);
+      }
+      fs2.mkdirSync(path2.dirname(resolved), { recursive: true });
+      fs2.writeFileSync(resolved, content, "utf8");
+    }
+  } catch (error) {
+    fs2.rmSync(tmp, { recursive: true, force: true });
+    throw error;
+  }
+  return {
+    path: tmp,
+    cleanup: () => fs2.rmSync(tmp, { recursive: true, force: true })
+  };
+}
+function hasSkillMd(dir) {
+  const skillPath = path2.join(dir, "SKILL.md");
+  return fs2.existsSync(skillPath) && fs2.statSync(skillPath).isFile();
+}
+async function hasSkillMdAsync(dir) {
+  const skillPath = path2.join(dir, "SKILL.md");
+  try {
+    const stat = await fs2.promises.stat(skillPath);
+    return stat.isFile();
+  } catch {
+    return false;
+  }
+}
+function parseSkillMd(skillMdPath) {
+  try {
+    const raw = fs2.readFileSync(skillMdPath, "utf8");
+    const { data } = matter(raw);
+    if (typeof data.name !== "string" || typeof data.description !== "string") {
+      return null;
+    }
+    return {
+      name: data.name,
+      description: data.description,
+      path: path2.dirname(skillMdPath)
+    };
+  } catch {
+    return null;
+  }
+}
+async function parseSkillMdAsync(skillMdPath) {
+  try {
+    const raw = await fs2.promises.readFile(skillMdPath, "utf8");
+    const { data } = matter(raw);
+    if (typeof data.name !== "string" || typeof data.description !== "string") {
+      return null;
+    }
+    return {
+      name: data.name,
+      description: data.description,
+      path: path2.dirname(skillMdPath)
+    };
+  } catch {
+    return null;
+  }
+}
+function findSkillDirsRecursive(dir, depth, maxDepth, out) {
+  if (depth > maxDepth) {
+    return;
+  }
+  if (!fs2.existsSync(dir) || !fs2.statSync(dir).isDirectory()) {
+    return;
+  }
+  if (hasSkillMd(dir)) {
+    out.push(dir);
+  }
+  for (const entry of fs2.readdirSync(dir, { withFileTypes: true })) {
+    if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
+      continue;
+    }
+    findSkillDirsRecursive(path2.join(dir, entry.name), depth + 1, maxDepth, out);
+  }
+}
+async function findSkillDirsRecursiveAsync(dir, depth, maxDepth, out) {
+  if (depth > maxDepth) {
+    return;
+  }
+  try {
+    const stat = await fs2.promises.stat(dir);
+    if (!stat.isDirectory()) {
+      return;
+    }
+  } catch {
+    return;
+  }
+  if (await hasSkillMdAsync(dir)) {
+    out.push(dir);
+  }
+  let entries = [];
+  try {
+    entries = await fs2.promises.readdir(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
+      continue;
+    }
+    await findSkillDirsRecursiveAsync(path2.join(dir, entry.name), depth + 1, maxDepth, out);
+  }
+}
+function discoverSkills(basePath) {
+  const dirsToSearch = [
+    basePath,
+    path2.join(basePath, "skills"),
+    path2.join(basePath, "skills", ".curated"),
+    path2.join(basePath, "skills", ".experimental"),
+    path2.join(basePath, "skills", ".system"),
+    path2.join(basePath, ".agents", "skills"),
+    path2.join(basePath, ".agent", "skills")
+  ];
+  const skillDirs = [];
+  for (const dir of dirsToSearch) {
+    if (!fs2.existsSync(dir) || !fs2.statSync(dir).isDirectory()) {
+      continue;
+    }
+    for (const entry of fs2.readdirSync(dir, { withFileTypes: true })) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      const candidate = path2.join(dir, entry.name);
+      if (hasSkillMd(candidate)) {
+        skillDirs.push(candidate);
+      }
+    }
+  }
+  if (hasSkillMd(basePath)) {
+    skillDirs.unshift(basePath);
+  }
+  if (skillDirs.length === 0) {
+    findSkillDirsRecursive(basePath, 0, 5, skillDirs);
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const skills = [];
+  for (const dir of skillDirs) {
+    const parsed = parseSkillMd(path2.join(dir, "SKILL.md"));
+    if (!parsed) {
+      continue;
+    }
+    if (seen.has(parsed.name)) {
+      continue;
+    }
+    seen.add(parsed.name);
+    skills.push(parsed);
+  }
+  return skills;
+}
+async function discoverSkillsAsync(basePath) {
+  const dirsToSearch = [
+    basePath,
+    path2.join(basePath, "skills"),
+    path2.join(basePath, "skills", ".curated"),
+    path2.join(basePath, "skills", ".experimental"),
+    path2.join(basePath, "skills", ".system"),
+    path2.join(basePath, ".agents", "skills"),
+    path2.join(basePath, ".agent", "skills")
+  ];
+  const skillDirs = [];
+  for (const dir of dirsToSearch) {
+    let stat;
+    try {
+      stat = await fs2.promises.stat(dir);
+    } catch {
+      stat = void 0;
+    }
+    if (!stat || !stat.isDirectory()) {
+      continue;
+    }
+    let entries = [];
+    try {
+      entries = await fs2.promises.readdir(dir, { withFileTypes: true });
+    } catch {
+      entries = [];
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      const candidate = path2.join(dir, entry.name);
+      if (await hasSkillMdAsync(candidate)) {
+        skillDirs.push(candidate);
+      }
+    }
+  }
+  if (await hasSkillMdAsync(basePath)) {
+    skillDirs.unshift(basePath);
+  }
+  if (skillDirs.length === 0) {
+    await findSkillDirsRecursiveAsync(basePath, 0, 5, skillDirs);
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const skills = [];
+  for (const dir of skillDirs) {
+    const parsed = await parseSkillMdAsync(path2.join(dir, "SKILL.md"));
+    if (!parsed) {
+      continue;
+    }
+    if (seen.has(parsed.name)) {
+      continue;
+    }
+    seen.add(parsed.name);
+    skills.push(parsed);
+  }
+  return skills;
+}
+
+// ../../packages/core/src/sources/source-parser.ts
+import path3 from "node:path";
+function isLocalPath(input) {
+  return path3.isAbsolute(input) || input === "." || input === ".." || input.startsWith("./") || input.startsWith("../") || /^[a-zA-Z]:[\\/]/.test(input);
+}
+function parseSource(input) {
+  if (input.startsWith("catalog+https://")) {
+    return { type: "catalog", url: input.slice("catalog+".length) };
+  }
+  if (isLocalPath(input)) {
+    return { type: "local", localPath: path3.resolve(input) };
+  }
+  const githubTreeWithPath = input.match(/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)\/(.+)/);
+  if (githubTreeWithPath) {
+    const [, owner, repo, ref, subpath] = githubTreeWithPath;
+    return {
+      type: "github",
+      repoUrl: `https://github.com/${owner}/${repo.replace(/\.git$/, "")}.git`,
+      ref,
+      subpath
+    };
+  }
+  const githubTree = input.match(/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)$/);
+  if (githubTree) {
+    const [, owner, repo, ref] = githubTree;
+    return {
+      type: "github",
+      repoUrl: `https://github.com/${owner}/${repo.replace(/\.git$/, "")}.git`,
+      ref
+    };
+  }
+  const githubRepo = input.match(/github\.com\/([^/]+)\/([^/]+)/);
+  if (githubRepo) {
+    const [, owner, repo] = githubRepo;
+    return {
+      type: "github",
+      repoUrl: `https://github.com/${owner}/${repo.replace(/\.git$/, "")}.git`
+    };
+  }
+  const gitlabRepo = input.match(/gitlab\.com\/([^/]+)\/([^/]+)/);
+  if (gitlabRepo) {
+    const [, owner, repo] = gitlabRepo;
+    return {
+      type: "git",
+      repoUrl: `https://gitlab.com/${owner}/${repo.replace(/\.git$/, "")}.git`
+    };
+  }
+  const shorthand = input.match(/^([^/]+)\/([^/]+)(?:\/(.+))?$/);
+  if (shorthand && !input.includes(":") && !input.startsWith(".")) {
+    const [, owner, repo, subpath] = shorthand;
+    return {
+      type: "github",
+      repoUrl: `https://github.com/${owner}/${repo.replace(/\.git$/, "")}.git`,
+      subpath
+    };
+  }
+  if (input.startsWith("http://") || input.startsWith("https://")) {
+    if (input.endsWith(".git")) {
+      return { type: "git", repoUrl: input };
+    }
+    return { type: "well-known", url: input };
+  }
+  return { type: "git", repoUrl: input };
+}
+
+// ../../packages/core/src/sources/git.ts
+import fs3 from "node:fs";
+import os3 from "node:os";
+import path4 from "node:path";
+import { spawn, spawnSync } from "node:child_process";
+function runGit(args, cwd) {
+  const result = spawnSync("git", args, {
+    cwd,
+    encoding: "utf8",
+    stdio: "pipe"
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || "").trim();
+    const stdout = (result.stdout || "").trim();
+    const detail = stderr || stdout || "git command failed";
+    throw new Error(`${detail}`);
+  }
+}
+function runGitAsync(args, cwd) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("git", args, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      reject(error);
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      const detail = stderr.trim() || stdout.trim() || "git command failed";
+      reject(new Error(detail));
+    });
+  });
+}
+function runGitOutputAsync(args, cwd) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("git", args, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", (error) => {
+      reject(error);
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve(stdout.trim());
+        return;
+      }
+      const detail = stderr.trim() || stdout.trim() || "git command failed";
+      reject(new Error(detail));
+    });
+  });
+}
+function applyCheckoutRefSync(repoDir, ref) {
+  if (!ref) {
+    return;
+  }
+  runGit(["fetch", "--depth", "1", "origin", ref], repoDir);
+  runGit(["checkout", ref], repoDir);
+}
+async function applyCheckoutRefAsync(repoDir, ref) {
+  if (!ref) {
+    return;
+  }
+  await runGitAsync(["fetch", "--depth", "1", "origin", ref], repoDir);
+  await runGitAsync(["checkout", ref], repoDir);
+}
+function prepareSourceDir(parsed) {
+  if (parsed.type === "local") {
+    if (!fs3.existsSync(parsed.localPath)) {
+      throw new Error(`Local source not found: ${parsed.localPath}`);
+    }
+    return { basePath: parsed.localPath };
+  }
+  const tmp = fs3.mkdtempSync(path4.join(os3.tmpdir(), "skillspp-cli-"));
+  runGit(["clone", "--depth", "1", parsed.repoUrl, tmp]);
+  const ref = parsed.type === "github" ? parsed.ref : void 0;
+  applyCheckoutRefSync(tmp, ref);
+  const basePath = parsed.type === "github" && parsed.subpath ? path4.join(tmp, parsed.subpath) : tmp;
+  return {
+    basePath,
+    cleanup: () => {
+      fs3.rmSync(tmp, { recursive: true, force: true });
+    }
+  };
+}
+async function prepareSourceDirAsync(parsed) {
+  if (parsed.type === "local") {
+    if (!fs3.existsSync(parsed.localPath)) {
+      throw new Error(`Local source not found: ${parsed.localPath}`);
+    }
+    return { basePath: parsed.localPath };
+  }
+  const tmp = fs3.mkdtempSync(path4.join(os3.tmpdir(), "skillspp-cli-"));
+  await runGitAsync(["clone", "--depth", "1", parsed.repoUrl, tmp]);
+  const ref = parsed.type === "github" ? parsed.ref : void 0;
+  await applyCheckoutRefAsync(tmp, ref);
+  const basePath = parsed.type === "github" && parsed.subpath ? path4.join(tmp, parsed.subpath) : tmp;
+  return {
+    basePath,
+    cleanup: () => {
+      fs3.rmSync(tmp, { recursive: true, force: true });
+    }
+  };
+}
+async function resolveGitHeadRefAsync(repoDir) {
+  return runGitOutputAsync(["rev-parse", "HEAD"], repoDir);
+}
+
+// ../../packages/core/src/providers/registry.ts
+var ProviderRegistry = class {
+  providers = [];
+  register(provider) {
+    if (this.providers.some((item) => item.id === provider.id)) {
+      throw new Error(`Provider with id '${provider.id}' already registered`);
+    }
+    this.providers.push(provider);
+  }
+  findProvider(url) {
+    for (const provider of this.providers) {
+      if (provider.match(url).matches) {
+        return provider;
+      }
+    }
+    return null;
+  }
+  getProviders() {
+    return [...this.providers];
+  }
+  getProviderById(id) {
+    return this.providers.find((item) => item.id === id) || null;
+  }
+};
+var registry = new ProviderRegistry();
+function registerProvider(provider) {
+  registry.register(provider);
+}
+function getProviderById(id) {
+  return registry.getProviderById(id);
+}
+
+// ../../packages/core/src/providers/wellknown.ts
+import dns from "node:dns/promises";
+import net from "node:net";
+var DEFAULT_OPTIONS = {
+  maxDownloadBytes: 5 * 1024 * 1024,
+  timeoutMs: 1e4,
+  maxRedirects: 3,
+  maxFilesPerSkill: 128,
+  maxSkillFileBytes: 512 * 1024
+};
+var EXCLUDED_HOSTS = /* @__PURE__ */ new Set(["github.com", "gitlab.com", "raw.githubusercontent.com"]);
+var SKILL_CONFIG = {
+  kind: "skills",
+  displayLabel: "well-known skills",
+  indexPath: "/.well-known/skills/index.json",
+  entryLabel: "skill",
+  requireDescription: true,
+  missingManifestMessage: (name) => `Well-known skill '${name}' is missing SKILL.md`,
+  validateName(name) {
+    if (!/^[a-z0-9]([a-z0-9-]{0,62}[a-z0-9])?$/.test(name)) {
+      throw new Error(`Invalid well-known skill name: ${name}`);
+    }
+  },
+  hasRequiredManifest(filePath) {
+    return filePath.toLowerCase() === "skill.md";
+  },
+  buildRemoteResult({ entry, files, sourceUrl }) {
+    return {
+      name: entry.name,
+      description: entry.description || "",
+      installName: entry.name,
+      sourceUrl,
+      sourceType: "well-known",
+      files
+    };
+  }
+};
+var SecureWellKnownProvider = class {
+  id = "well-known";
+  displayName = "Secure Well-Known Skills";
+  match(url) {
+    if (!url.startsWith("http://") && !url.startsWith("https://")) {
+      return { matches: false };
+    }
+    try {
+      const parsed = new URL(url);
+      if (EXCLUDED_HOSTS.has(parsed.hostname.toLowerCase())) {
+        return { matches: false };
+      }
+      return { matches: true, sourceIdentifier: this.getSourceIdentifier(url) };
+    } catch {
+      return { matches: false };
+    }
+  }
+  getSourceIdentifier(url) {
+    const parsed = new URL(url);
+    const pathname = parsed.pathname.replace(/\/$/, "");
+    return pathname && pathname !== "/" ? `wellknown/${parsed.hostname}${pathname}` : `wellknown/${parsed.hostname}`;
+  }
+  async fetchAllSkills(url, options = {}) {
+    return this.fetchAllResources(url, options, SKILL_CONFIG);
+  }
+  async fetchAllResources(url, options, config) {
+    const normalized = this.normalizeOptions(options);
+    const budget = { remaining: normalized.maxDownloadBytes };
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+      throw new Error("Well-known provider requires HTTPS URLs");
+    }
+    await this.assertHostAllowed(parsed.hostname, normalized);
+    const { index, resolvedBase } = await this.fetchIndex(parsed, normalized, budget, config);
+    const resources = [];
+    for (const entry of index) {
+      resources.push(
+        await this.fetchResourceByEntry(resolvedBase, entry, normalized, budget, config)
+      );
+    }
+    return resources;
+  }
+  normalizeOptions(options) {
+    return {
+      allowHosts: (options.allowHosts || []).map((value) => value.trim().toLowerCase()).filter(Boolean),
+      denyHosts: (options.denyHosts || []).map((value) => value.trim().toLowerCase()).filter(Boolean),
+      maxDownloadBytes: options.maxDownloadBytes ?? DEFAULT_OPTIONS.maxDownloadBytes,
+      timeoutMs: options.timeoutMs ?? DEFAULT_OPTIONS.timeoutMs,
+      maxRedirects: options.maxRedirects ?? DEFAULT_OPTIONS.maxRedirects,
+      maxFilesPerSkill: options.maxFilesPerSkill ?? DEFAULT_OPTIONS.maxFilesPerSkill,
+      maxSkillFileBytes: options.maxSkillFileBytes ?? DEFAULT_OPTIONS.maxSkillFileBytes
+    };
+  }
+  async fetchIndex(parsedUrl, options, budget, config) {
+    const candidates = this.buildBaseCandidates(parsedUrl, config.indexPath);
+    for (const base of candidates) {
+      const indexUrl = `${base}${config.indexPath}`;
+      try {
+        const jsonText = await this.fetchTextWithLimit(
+          indexUrl,
+          options.maxDownloadBytes,
+          options,
+          budget
+        );
+        const parsed = JSON.parse(jsonText);
+        const validated = this.validateIndex(parsed, options.maxFilesPerSkill, config);
+        return { index: validated, resolvedBase: base };
+      } catch {
+        continue;
+      }
+    }
+    throw new Error(`No valid ${config.displayLabel} index found at ${config.indexPath}`);
+  }
+  buildBaseCandidates(parsed, indexPath) {
+    const origin = parsed.origin;
+    const pathname = parsed.pathname.replace(/\/$/, "");
+    const marker = indexPath.replace(/\/index\.json$/, "");
+    const out = [];
+    if (pathname.includes(marker)) {
+      const prefix = pathname.slice(0, pathname.indexOf(marker));
+      out.push(`${origin}${prefix}`.replace(/\/$/, ""));
+      if (prefix !== "") {
+        out.push(origin);
+      }
+    } else {
+      out.push(`${origin}${pathname}`.replace(/\/$/, ""));
+      if (pathname !== "") {
+        out.push(origin);
+      }
+    }
+    return [
+      ...new Set(out.map((value) => value.endsWith("/") ? value.slice(0, -1) : value))
+    ].filter(Boolean);
+  }
+  validateIndex(raw, maxFilesPerSkill, config) {
+    if (!raw || typeof raw !== "object") {
+      throw new Error("Invalid well-known index: expected object");
+    }
+    const data = raw;
+    const rows = data[config.kind];
+    if (!Array.isArray(rows)) {
+      throw new Error(`Invalid well-known index: '${config.kind}' must be an array`);
+    }
+    return rows.map((item, idx) => {
+      if (!item || typeof item !== "object") {
+        throw new Error(`Invalid well-known index entry[${idx}]`);
+      }
+      const row = item;
+      const name = String(row.name || "").trim();
+      const description = typeof row.description === "string" ? row.description.trim() : void 0;
+      const files = Array.isArray(row.files) ? row.files.map((value) => String(value)) : [];
+      if (!name || files.length === 0) {
+        throw new Error(`Invalid well-known index entry[${idx}]: missing required fields`);
+      }
+      if (config.requireDescription && !description) {
+        throw new Error(`Invalid well-known index entry[${idx}]: missing required fields`);
+      }
+      config.validateName?.(name);
+      if (files.length > maxFilesPerSkill) {
+        throw new Error(`Too many files in well-known ${config.entryLabel} '${name}'`);
+      }
+      if (!files.some((filePath) => config.hasRequiredManifest(filePath))) {
+        throw new Error(config.missingManifestMessage(name));
+      }
+      for (const file of files) {
+        this.assertSafeRelativePath(file);
+      }
+      return { name, description, files };
+    });
+  }
+  assertSafeRelativePath(filePath) {
+    if (!filePath || filePath.startsWith("/") || filePath.startsWith("\\") || filePath.includes("..") || filePath.includes("\\")) {
+      throw new Error(`Unsafe well-known file path: ${filePath}`);
+    }
+  }
+  async fetchResourceByEntry(resolvedBase, entry, options, budget, config) {
+    const baseUrl = `${resolvedBase}/.well-known/${config.kind}/${entry.name}`;
+    const files = /* @__PURE__ */ new Map();
+    for (const filePath of entry.files) {
+      this.assertSafeRelativePath(filePath);
+      const fileUrl = `${baseUrl}/${filePath}`;
+      const text = await this.fetchTextWithLimit(
+        fileUrl,
+        options.maxSkillFileBytes,
+        options,
+        budget
+      );
+      if (text.includes("\0")) {
+        throw new Error(`Binary content is not allowed in well-known file: ${filePath}`);
+      }
+      files.set(filePath, text);
+    }
+    const manifestPath = this.pickPrimaryManifestPath(entry.files, config);
+    return config.buildRemoteResult({
+      entry,
+      files,
+      sourceUrl: `${baseUrl}/${manifestPath}`
+    });
+  }
+  pickPrimaryManifestPath(filePaths, config) {
+    const manifests = filePaths.filter((filePath) => config.hasRequiredManifest(filePath)).sort((left, right) => {
+      const leftDepth = left.split("/").length;
+      const rightDepth = right.split("/").length;
+      if (leftDepth !== rightDepth) {
+        return leftDepth - rightDepth;
+      }
+      return left.localeCompare(right);
+    });
+    const manifestPath = manifests[0];
+    if (!manifestPath) {
+      throw new Error("Missing required manifest in well-known index entry");
+    }
+    return manifestPath;
+  }
+  async fetchTextWithLimit(url, maxPerRequestBytes, options, budget) {
+    let currentUrl = url;
+    let redirects = 0;
+    while (true) {
+      const parsed = new URL(currentUrl);
+      if (parsed.protocol !== "https:") {
+        throw new Error("Well-known provider only allows HTTPS fetches");
+      }
+      await this.assertHostAllowed(parsed.hostname, options);
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), options.timeoutMs);
+      let response;
+      try {
+        response = await fetch(currentUrl, {
+          redirect: "manual",
+          signal: controller.signal
+        });
+      } finally {
+        clearTimeout(timeout);
+      }
+      if (response.status >= 300 && response.status < 400) {
+        const location = response.headers.get("location");
+        if (!location) {
+          throw new Error(`Redirect without location for ${currentUrl}`);
+        }
+        redirects += 1;
+        if (redirects > options.maxRedirects) {
+          throw new Error(`Too many redirects for ${url}`);
+        }
+        currentUrl = new URL(location, currentUrl).toString();
+        continue;
+      }
+      if (!response.ok) {
+        throw new Error(`Failed to fetch ${currentUrl}: ${response.status} ${response.statusText}`);
+      }
+      const bytes = new Uint8Array(await response.arrayBuffer());
+      if (bytes.byteLength > maxPerRequestBytes) {
+        throw new Error(`Exceeded per-file download limit for ${currentUrl}`);
+      }
+      budget.remaining -= bytes.byteLength;
+      if (budget.remaining < 0) {
+        throw new Error(`Exceeded total download budget while fetching ${url}`);
+      }
+      return new TextDecoder("utf8").decode(bytes);
+    }
+  }
+  async assertHostAllowed(hostname, options) {
+    const lowerHost = hostname.toLowerCase();
+    if (options.denyHosts.includes(lowerHost)) {
+      throw new Error(`Host '${hostname}' is explicitly denied`);
+    }
+    if (options.allowHosts.length > 0 && !options.allowHosts.includes(lowerHost)) {
+      throw new Error(`Host '${hostname}' is not in allowed host list`);
+    }
+    if (isLocalHostname(lowerHost)) {
+      throw new Error(`Local or loopback host '${hostname}' is not allowed`);
+    }
+    const ips = await resolveHostIps(hostname);
+    if (ips.some((ip) => isPrivateOrLocalIp(ip))) {
+      throw new Error(`Host '${hostname}' resolves to a private/local address`);
+    }
+  }
+};
+function isLocalHostname(hostname) {
+  return hostname === "localhost" || hostname.endsWith(".localhost") || hostname.endsWith(".local");
+}
+async function resolveHostIps(hostname) {
+  const out = /* @__PURE__ */ new Set();
+  try {
+    const entries = await dns.lookup(hostname, { all: true });
+    for (const entry of entries) {
+      out.add(entry.address);
+    }
+  } catch {
+  }
+  return [...out];
+}
+function isPrivateOrLocalIp(ip) {
+  const family = net.isIP(ip);
+  if (family === 4) {
+    return ip.startsWith("10.") || ip.startsWith("127.") || ip.startsWith("169.254.") || ip.startsWith("192.168.") || /^172\.(1[6-9]|2\d|3[0-1])\./.test(ip);
+  }
+  if (family === 6) {
+    const normalized = ip.toLowerCase();
+    return normalized === "::1" || normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("fe80:");
+  }
+  return false;
+}
+var wellKnownProvider = new SecureWellKnownProvider();
+
+// ../../packages/core/src/providers/catalog.ts
+var DEFAULT_OPTIONS2 = {
+  maxDownloadBytes: 5 * 1024 * 1024,
+  timeoutMs: 1e4,
+  maxFilesPerSkill: 128,
+  maxSkillFileBytes: 512 * 1024
+};
+var HttpCatalogProvider = class {
+  id = "catalog";
+  displayName = "HTTP Catalog Skills";
+  match(url) {
+    try {
+      const parsed = new URL(url);
+      if (parsed.protocol !== "https:") {
+        return { matches: false };
+      }
+      return { matches: true, sourceIdentifier: this.getSourceIdentifier(url) };
+    } catch {
+      return { matches: false };
+    }
+  }
+  getSourceIdentifier(url) {
+    const parsed = new URL(url);
+    return `catalog/${parsed.host}${parsed.pathname.replace(/\/+$/, "")}`;
+  }
+  async fetchAllSkills(url, options = {}) {
+    return this.fetchAllResources(url, options, {
+      kind: "skills",
+      indexLabel: "catalog skills",
+      resolveIndexUrl(parsed) {
+        return parsed.pathname.endsWith(".json") ? parsed.toString() : new URL(
+          "index.json",
+          parsed.toString().endsWith("/") ? parsed.toString() : `${parsed.toString()}/`
+        ).toString();
+      },
+      requireDescription: true,
+      missingManifestMessage: (name) => `Catalog skill '${name}' is missing SKILL.md`,
+      hasRequiredManifest(filePath) {
+        return filePath.toLowerCase() === "skill.md";
+      },
+      buildRemoteResult({ entry, files, sourceUrl }) {
+        return {
+          name: entry.name,
+          description: entry.description || "",
+          installName: entry.name,
+          sourceUrl,
+          sourceType: "catalog",
+          files
+        };
+      }
+    });
+  }
+  async fetchAllResources(url, options, config) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+      throw new Error("Catalog provider requires HTTPS URLs");
+    }
+    const maxDownloadBytes = options.maxDownloadBytes ?? DEFAULT_OPTIONS2.maxDownloadBytes;
+    const timeoutMs = options.timeoutMs ?? DEFAULT_OPTIONS2.timeoutMs;
+    const maxFilesPerSkill = options.maxFilesPerSkill ?? DEFAULT_OPTIONS2.maxFilesPerSkill;
+    const maxSkillFileBytes = options.maxSkillFileBytes ?? DEFAULT_OPTIONS2.maxSkillFileBytes;
+    const indexUrl = config.resolveIndexUrl(parsed);
+    const indexText = await this.fetchTextWithLimit(
+      indexUrl,
+      Math.min(maxDownloadBytes, maxSkillFileBytes),
+      timeoutMs
+    );
+    const index = this.validateIndex(JSON.parse(indexText), maxFilesPerSkill, config);
+    const out = [];
+    let remaining = maxDownloadBytes - indexText.length;
+    const indexBase = indexUrl.slice(0, indexUrl.lastIndexOf("/") + 1);
+    for (const row of index) {
+      const files = /* @__PURE__ */ new Map();
+      for (const rel of row.files) {
+        this.assertSafeRelativePath(rel);
+        const fileUrl = new URL(`${row.name}/${rel}`, indexBase).toString();
+        if (remaining <= 0) {
+          throw new Error("Catalog download budget exhausted");
+        }
+        const text = await this.fetchTextWithLimit(
+          fileUrl,
+          Math.min(remaining, maxSkillFileBytes),
+          timeoutMs
+        );
+        remaining -= text.length;
+        files.set(rel, text);
+      }
+      out.push(
+        config.buildRemoteResult({
+          entry: row,
+          files,
+          sourceUrl: new URL(
+            `${row.name}/${this.pickPrimaryManifestPath(row.files, config)}`,
+            indexBase
+          ).toString()
+        })
+      );
+    }
+    return out;
+  }
+  async fetchTextWithLimit(url, maxBytes, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+      const response = await fetch(url, { signal: controller.signal });
+      if (!response.ok) {
+        throw new Error(
+          `Catalog fetch failed (${response.status} ${response.statusText}) for ${url}`
+        );
+      }
+      const bytes = new Uint8Array(await response.arrayBuffer());
+      if (bytes.byteLength > maxBytes) {
+        throw new Error(`Catalog file exceeds size limit for ${url}`);
+      }
+      return new TextDecoder("utf8").decode(bytes);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  validateIndex(raw, maxFilesPerSkill, config) {
+    if (!raw || typeof raw !== "object") {
+      throw new Error("Invalid catalog index: expected object");
+    }
+    const data = raw;
+    const rows = data[config.kind];
+    if (!Array.isArray(rows)) {
+      throw new Error(`Invalid catalog index: '${config.kind}' must be an array`);
+    }
+    return rows.map((item, idx) => {
+      if (!item || typeof item !== "object") {
+        throw new Error(`Invalid catalog index entry[${idx}]`);
+      }
+      const row = item;
+      const name = String(row.name || "").trim();
+      const description = typeof row.description === "string" ? row.description.trim() : void 0;
+      const files = Array.isArray(row.files) ? row.files.map((x) => String(x)) : [];
+      if (!name || files.length === 0) {
+        throw new Error(`Invalid catalog index entry[${idx}]: missing required fields`);
+      }
+      if (config.requireDescription && !description) {
+        throw new Error(`Invalid catalog index entry[${idx}]: missing required fields`);
+      }
+      if (files.length > maxFilesPerSkill) {
+        throw new Error(`Too many files in catalog ${config.kind.slice(0, -1)} '${name}'`);
+      }
+      if (!files.some((filePath) => config.hasRequiredManifest(filePath))) {
+        throw new Error(config.missingManifestMessage(name));
+      }
+      for (const file of files) {
+        this.assertSafeRelativePath(file);
+      }
+      return { name, description, files };
+    });
+  }
+  pickPrimaryManifestPath(filePaths, config) {
+    const manifests = filePaths.filter((filePath) => config.hasRequiredManifest(filePath)).sort((left, right) => {
+      const leftDepth = left.split("/").length;
+      const rightDepth = right.split("/").length;
+      if (leftDepth !== rightDepth) {
+        return leftDepth - rightDepth;
+      }
+      return left.localeCompare(right);
+    });
+    const manifestPath = manifests[0];
+    if (!manifestPath) {
+      throw new Error("Catalog entry is missing required manifest");
+    }
+    return manifestPath;
+  }
+  assertSafeRelativePath(filePath) {
+    if (!filePath || filePath.startsWith("/") || filePath.startsWith("\\") || filePath.includes("..") || filePath.includes("\\")) {
+      throw new Error(`Unsafe catalog file path: ${filePath}`);
+    }
+  }
+};
+var catalogProvider = new HttpCatalogProvider();
+
+// ../../packages/core/src/providers/index.ts
+var initialized = false;
+function initializeProviders() {
+  if (initialized) {
+    return;
+  }
+  registerProvider(wellKnownProvider);
+  registerProvider(catalogProvider);
+  initialized = true;
+}
+
+// ../../packages/core/src/application/experimental.ts
+function assertExperimentalFeatureEnabled(feature, enabled) {
+  if (enabled) {
+    return;
+  }
+  if (feature === "catalog") {
+    throw new Error("Catalog source is experimental and requires explicit experimental mode.");
+  }
+}
+
+// ../../packages/core/src/sources/source-resolution.ts
+async function resolveWellKnownSkills(sourceUrl, options) {
+  initializeProviders();
+  const provider = getProviderById("well-known");
+  if (!provider) {
+    throw new Error("Well-known provider is not registered");
+  }
+  const wellKnown = provider;
+  return wellKnown.fetchAllSkills(sourceUrl, {
+    allowHosts: options.allowHost,
+    denyHosts: options.denyHost,
+    maxDownloadBytes: options.maxDownloadBytes
+  });
+}
+async function resolveCatalogSkills(sourceUrl, options) {
+  assertExperimentalFeatureEnabled("catalog", Boolean(options.experimental));
+  initializeProviders();
+  const provider = getProviderById("catalog");
+  if (!provider) {
+    throw new Error("Catalog provider is not registered");
+  }
+  const catalog = provider;
+  return catalog.fetchAllSkills(sourceUrl, {
+    allowHosts: options.allowHost,
+    denyHosts: options.denyHost,
+    maxDownloadBytes: options.maxDownloadBytes
+  });
+}
+
+// ../../packages/core/src/runtime/hash.ts
+import fs4 from "node:fs";
+import path5 from "node:path";
+import { createHash } from "node:crypto";
+var SKIP_DIRS2 = /* @__PURE__ */ new Set([".git", "node_modules", "dist", "build", "__pycache__"]);
+var SKIP_FILES = /* @__PURE__ */ new Set(["skillspp-lock.json", "skillspp-lock.yaml"]);
+function walkDir(baseDir, dir, hash) {
+  const entries = fs4.readdirSync(dir, { withFileTypes: true }).sort((a, b) => a.name.localeCompare(b.name));
+  for (const entry of entries) {
+    if (entry.isDirectory() && SKIP_DIRS2.has(entry.name)) {
+      continue;
+    }
+    const fullPath = path5.join(dir, entry.name);
+    const relativePath = path5.relative(baseDir, fullPath).replace(/\\/g, "/");
+    if (entry.isDirectory()) {
+      hash.update(`dir:${relativePath}
+`);
+      walkDir(baseDir, fullPath, hash);
+      continue;
+    }
+    if (entry.isFile()) {
+      if (SKIP_FILES.has(entry.name)) {
+        continue;
+      }
+      const content = fs4.readFileSync(fullPath);
+      hash.update(`file:${relativePath}
+`);
+      hash.update(content);
+      hash.update("\n");
+    }
+  }
+}
+function waitForNextTurn() {
+  return new Promise((resolve) => {
+    setImmediate(resolve);
+  });
+}
+async function walkDirAsync(baseDir, dir, hash) {
+  const entries = (await fs4.promises.readdir(dir, { withFileTypes: true })).sort(
+    (a, b) => a.name.localeCompare(b.name)
+  );
+  for (const entry of entries) {
+    await waitForNextTurn();
+    if (entry.isDirectory() && SKIP_DIRS2.has(entry.name)) {
+      continue;
+    }
+    const fullPath = path5.join(dir, entry.name);
+    const relativePath = path5.relative(baseDir, fullPath).replace(/\\/g, "/");
+    if (entry.isDirectory()) {
+      hash.update(`dir:${relativePath}
+`);
+      await walkDirAsync(baseDir, fullPath, hash);
+      continue;
+    }
+    if (entry.isFile()) {
+      if (SKIP_FILES.has(entry.name)) {
+        continue;
+      }
+      const content = await fs4.promises.readFile(fullPath);
+      hash.update(`file:${relativePath}
+`);
+      hash.update(content);
+      hash.update("\n");
+    }
+  }
+}
+function hashDirectory(dirPath) {
+  const resolved = path5.resolve(dirPath);
+  if (!fs4.existsSync(resolved) || !fs4.statSync(resolved).isDirectory()) {
+    throw new Error(`Directory not found for hashing: ${resolved}`);
+  }
+  const hash = createHash("sha256");
+  walkDir(resolved, resolved, hash);
+  return hash.digest("hex");
+}
+async function hashDirectoryAsync(dirPath) {
+  const resolved = path5.resolve(dirPath);
+  const stats = await fs4.promises.stat(resolved).catch(() => null);
+  if (!stats || !stats.isDirectory()) {
+    throw new Error(`Directory not found for hashing: ${resolved}`);
+  }
+  const hash = createHash("sha256");
+  await walkDirAsync(resolved, resolved, hash);
+  return hash.digest("hex");
+}
+
+// ../../packages/core/src/runtime/lockfile.ts
+import fs5 from "node:fs";
+import path6 from "node:path";
+import YAML from "yaml";
+function resolveSourceLoadInput(source) {
+  return source.type === "local" && source.canonical ? source.canonical : source.input;
+}
+function buildSourceIdentityCacheKey(parsed) {
+  if (parsed.type === "local") {
+    return `local:${parsed.localPath}`;
+  }
+  if (parsed.type === "well-known") {
+    return `well-known:${parsed.url}`;
+  }
+  if (parsed.type === "catalog") {
+    return `catalog:${parsed.url}`;
+  }
+  if (parsed.type === "github") {
+    return `github:${parsed.repoUrl}:${parsed.ref || ""}:${parsed.subpath || ""}`;
+  }
+  return `git:${parsed.repoUrl}`;
+}
+function buildSourceLoadCacheKey(source) {
+  return buildSourceIdentityCacheKey(parseSource(resolveSourceLoadInput(source)));
+}
+function perSkillLockfilePath(canonicalDir, format = "json") {
+  if (format === "yaml") {
+    return path6.join(canonicalDir, "skillspp-lock.yaml");
+  }
+  return path6.join(canonicalDir, "skillspp-lock.json");
+}
+function parseLockPayload(text, format) {
+  const raw = format === "json" ? JSON.parse(text) : YAML.parse(text);
+  if (!raw || raw.version !== 1) {
+    return null;
+  }
+  return raw;
+}
+function readPerSkillLockfile(canonicalDir) {
+  const jsonPath = perSkillLockfilePath(canonicalDir, "json");
+  const yamlPath = perSkillLockfilePath(canonicalDir, "yaml");
+  const raw = fs5.existsSync(jsonPath) ? parseLockPayload(fs5.readFileSync(jsonPath, "utf8"), "json") : fs5.existsSync(yamlPath) ? parseLockPayload(fs5.readFileSync(yamlPath, "utf8"), "yaml") : null;
+  if (!raw) {
+    return null;
+  }
+  if (raw.entry && typeof raw.entry.skillName === "string") {
+    return raw.entry;
+  }
+  if (Array.isArray(raw.entries) && raw.entries[0] && typeof raw.entries[0].skillName === "string") {
+    return raw.entries[0];
+  }
+  return null;
+}
+function writePerSkillLockfile(canonicalDir, entry, format) {
+  const jsonPath = perSkillLockfilePath(canonicalDir, "json");
+  const yamlPath = perSkillLockfilePath(canonicalDir, "yaml");
+  fs5.mkdirSync(canonicalDir, { recursive: true });
+  if (format === "yaml") {
+    fs5.writeFileSync(yamlPath, YAML.stringify({ version: 1, entry }), "utf8");
+    if (fs5.existsSync(jsonPath)) {
+      fs5.rmSync(jsonPath, { force: true });
+    }
+    return;
+  }
+  fs5.writeFileSync(jsonPath, `${JSON.stringify({ version: 1, entry }, null, 2)}
+`, "utf8");
+  if (fs5.existsSync(yamlPath)) {
+    fs5.rmSync(yamlPath, { force: true });
+  }
+}
+function isSkillDirEntry(entry) {
+  return entry.isDirectory() || entry.isSymbolicLink();
+}
+function listInstalledResourceDirs(_kind, globalInstall, cwd) {
+  const out = /* @__PURE__ */ new Set();
+  for (const agent of Object.keys(AGENTS)) {
+    const resourceRoot = getAgentSkillsDir(agent, globalInstall, cwd);
+    if (!fs5.existsSync(resourceRoot) || !fs5.statSync(resourceRoot).isDirectory()) {
+      continue;
+    }
+    for (const entry of fs5.readdirSync(resourceRoot, { withFileTypes: true })) {
+      if (!isSkillDirEntry(entry)) {
+        continue;
+      }
+      out.add(path6.join(resourceRoot, entry.name));
+    }
+  }
+  return [...out];
+}
+function lockEntrySortTime(entry) {
+  const parsed = Date.parse(entry.updatedAt);
+  return Number.isFinite(parsed) ? parsed : 0;
+}
+function readLockfile(globalInstall, cwd) {
+  return readResourceLockfile("skill", globalInstall, cwd);
+}
+function readResourceLockfile(kind, globalInstall, cwd) {
+  const entriesBySkill = /* @__PURE__ */ new Map();
+  for (const skillDir of listInstalledResourceDirs(kind, globalInstall, cwd)) {
+    const entry = readPerSkillLockfile(skillDir);
+    if (!entry || typeof entry.skillName !== "string") {
+      continue;
+    }
+    const existing = entriesBySkill.get(entry.skillName);
+    if (!existing || lockEntrySortTime(entry) > lockEntrySortTime(existing)) {
+      entriesBySkill.set(entry.skillName, entry);
+    }
+  }
+  return {
+    version: 1,
+    entries: [...entriesBySkill.values()].sort((a, b) => a.skillName.localeCompare(b.skillName))
+  };
+}
+function writeLockfile(globalInstall, cwd, lockfile, format = "json") {
+  writeResourceLockfile("skill", globalInstall, cwd, lockfile, format);
+}
+function writeResourceLockfile(_kind, _globalInstall, _cwd, lockfile, format = "json") {
+  const normalized = [...lockfile.entries].sort((a, b) => a.skillName.localeCompare(b.skillName));
+  for (const entry of normalized) {
+    writePerSkillLockfile(entry.canonicalDir, entry, format);
+  }
+}
+function upsertLockEntry(lockfile, entry) {
+  return upsertResourceLockEntry(lockfile, entry);
+}
+function upsertResourceLockEntry(lockfile, entry) {
+  const next = lockfile.entries.filter((item) => item.skillName !== entry.skillName);
+  next.push(entry);
+  return { version: 1, entries: next };
+}
+function listCanonicalSkillDirs(globalInstall, cwd) {
+  return listCanonicalResourceDirs("skill", globalInstall, cwd);
+}
+function listCanonicalResourceDirs(kind, globalInstall, cwd) {
+  return [
+    ...new Set(
+      listInstalledResourceDirs(kind, globalInstall, cwd).map((dir) => path6.basename(dir))
+    )
+  ].sort((a, b) => a.localeCompare(b));
+}
+
+// ../../packages/core/src/runtime/check-analysis.ts
+function includeBySkill(entry, selected) {
+  if (!selected || selected.length === 0 || selected.includes("*")) {
+    return true;
+  }
+  return selected.includes(entry.skillName);
+}
+function migrateHint(skillName) {
+  return `skillspp update ${skillName} --migrate <new-skill-source>`;
+}
+function resolveSourceMetadataIssue(entry) {
+  if (!entry.source.canonical) {
+    return `source canonical metadata missing; run ${migrateHint(entry.skillName)}`;
+  }
+  if (entry.source.type === "local") {
+    if (!entry.source.resolvedPath) {
+      return `local source metadata missing; run ${migrateHint(entry.skillName)}`;
+    }
+    if (!fs6.existsSync(entry.source.canonical)) {
+      return `local source path not found; run ${migrateHint(entry.skillName)}`;
+    }
+    return null;
+  }
+  if (!entry.source.pinnedRef) {
+    return `remote pin metadata missing; run ${migrateHint(entry.skillName)}`;
+  }
+  return null;
+}
+function createRetainedCleanup(cleanup) {
+  let cleaned = false;
+  let refCount = 0;
+  const runCleanup = () => {
+    if (cleaned) {
+      return;
+    }
+    cleaned = true;
+    cleanup?.();
+  };
+  const cleanupNow = () => {
+    if (refCount === 0) {
+      runCleanup();
+    }
+  };
+  const retainCleanup = () => {
+    refCount += 1;
+    let released = false;
+    return () => {
+      if (released) {
+        return;
+      }
+      released = true;
+      refCount -= 1;
+      if (refCount === 0) {
+        runCleanup();
+      }
+    };
+  };
+  return {
+    cleanupNow,
+    retainCleanup
+  };
+}
+function toAsyncResult(promise) {
+  return promise.then(
+    (value) => ({ ok: true, value }),
+    (error) => ({ ok: false, error })
+  );
+}
+function unwrapAsyncResult(result) {
+  if (result.ok) {
+    return result.value;
+  }
+  throw result.error;
+}
+async function loadCachedSource(entry, options) {
+  const sourceInput = resolveSourceLoadInput(entry.source);
+  const parsed = parseSource(sourceInput);
+  if (parsed.type === "well-known" || parsed.type === "catalog") {
+    const remoteSkills = parsed.type === "well-known" ? await resolveWellKnownSkills(parsed.url, options) : await resolveCatalogSkills(parsed.url, options);
+    return {
+      kind: "remote",
+      remoteSkills
+    };
+  }
+  const prepared = await prepareSourceDirAsync(
+    parsed
+  );
+  const retainedCleanup = createRetainedCleanup(prepared.cleanup);
+  try {
+    const skills = await discoverSkillsAsync(prepared.basePath);
+    return {
+      kind: "prepared",
+      basePath: prepared.basePath,
+      skills,
+      cleanupNow: retainedCleanup.cleanupNow,
+      retainCleanup: retainedCleanup.retainCleanup
+    };
+  } catch (error) {
+    retainedCleanup.cleanupNow();
+    throw error;
+  }
+}
+function resolveSafeRealPath(inputPath) {
+  try {
+    return fs6.realpathSync(inputPath);
+  } catch {
+    return path7.resolve(inputPath);
+  }
+}
+function isLocalSymlinkSource(localPath) {
+  try {
+    if (!fs6.existsSync(localPath)) {
+      return false;
+    }
+    return fs6.lstatSync(localPath).isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
+async function buildRefreshedSourceMetadata(entry, resolved, cachedSource, sourceHash) {
+  if (entry.source.type === "local") {
+    const canonical2 = entry.source.canonical || entry.source.input;
+    return {
+      canonical: canonical2,
+      resolvedPath: resolveSafeRealPath(resolved.skill.path),
+      isSymlinkSource: isLocalSymlinkSource(canonical2),
+      sourceSkillPath: resolved.sourceSkillPath
+    };
+  }
+  if (entry.source.type === "git" || entry.source.type === "github") {
+    const nextPinnedRef = cachedSource.kind === "prepared" ? await resolveGitHeadRefAsync(cachedSource.basePath) : entry.source.pinnedRef;
+    return {
+      canonical: entry.source.canonical,
+      pinnedRef: nextPinnedRef,
+      sourceSkillPath: resolved.sourceSkillPath
+    };
+  }
+  const canonical = resolved.wellKnownSourceUrl || entry.source.canonical;
+  return {
+    canonical,
+    pinnedRef: sourceHash,
+    wellKnownSourceUrl: resolved.wellKnownSourceUrl
+  };
+}
+function resolveCandidateFromCachedSource(entry, cachedSource, keepResolved) {
+  if (cachedSource.kind === "remote") {
+    const matched2 = cachedSource.remoteSkills.find(
+      (item) => item.installName === entry.source.selector.skillName
+    );
+    if (!matched2) {
+      throw new Error(`Skill '${entry.source.selector.skillName}' not found in well-known source`);
+    }
+    const staged = stageRemoteSkillFilesToTempDir(matched2.files);
+    return {
+      skill: {
+        name: matched2.installName,
+        description: matched2.description,
+        path: staged.path
+      },
+      wellKnownSourceUrl: matched2.sourceUrl,
+      cleanup: staged.cleanup
+    };
+  }
+  const matched = entry.source.selector.relativePath ? cachedSource.skills.find(
+    (item) => path7.resolve(item.path) === path7.resolve(path7.join(cachedSource.basePath, entry.source.selector.relativePath))
+  ) : cachedSource.skills.find((item) => item.name === entry.source.selector.skillName);
+  if (!matched) {
+    throw new Error(`Skill '${entry.source.selector.skillName}' not found in source`);
+  }
+  return {
+    skill: matched,
+    sourceSkillPath: path7.relative(cachedSource.basePath, matched.path) || ".",
+    cleanup: keepResolved ? cachedSource.retainCleanup() : void 0
+  };
+}
+async function assessLockEntries(options, cwd, behavior = { keepResolved: false }) {
+  const lock = readLockfile(Boolean(options.global), cwd);
+  const entries = lock.entries.filter((entry) => includeBySkill(entry, options.skill));
+  const drift = [];
+  const assessments = [];
+  const sourceOptions = {
+    global: options.global,
+    allowHost: options.allowHost,
+    denyHost: options.denyHost,
+    maxDownloadBytes: options.maxDownloadBytes,
+    policyMode: options.policyMode,
+    experimental: options.experimental
+  };
+  const sourceCache = /* @__PURE__ */ new Map();
+  const getCachedSource = (entry) => {
+    const key = buildSourceLoadCacheKey(entry.source);
+    const existing = sourceCache.get(key);
+    if (existing) {
+      return existing;
+    }
+    const created = loadCachedSource(entry, sourceOptions);
+    sourceCache.set(key, created);
+    return created;
+  };
+  try {
+    for (const entry of entries) {
+      const assessment = {
+        entry,
+        drift: []
+      };
+      if (!fs6.existsSync(entry.canonicalDir) || !fs6.statSync(entry.canonicalDir).isDirectory()) {
+        const row = {
+          skillName: entry.skillName,
+          kind: "local-modified",
+          detail: "canonical directory is missing"
+        };
+        drift.push(row);
+        assessment.drift.push(row);
+        assessments.push(assessment);
+        continue;
+      }
+      const installedHash = unwrapAsyncResult(
+        await toAsyncResult(hashDirectoryAsync(entry.canonicalDir))
+      );
+      if (installedHash !== entry.installedHash) {
+        const row = {
+          skillName: entry.skillName,
+          kind: "local-modified",
+          detail: "installed content differs from lockfile hash"
+        };
+        drift.push(row);
+        assessment.drift.push(row);
+      }
+      const metadataIssue = resolveSourceMetadataIssue(entry);
+      if (metadataIssue) {
+        const row = {
+          skillName: entry.skillName,
+          kind: "migrate-required",
+          detail: metadataIssue
+        };
+        drift.push(row);
+        assessment.drift.push(row);
+        assessments.push(assessment);
+        continue;
+      }
+      let resolved;
+      try {
+        const cachedSource = unwrapAsyncResult(await toAsyncResult(getCachedSource(entry)));
+        resolved = resolveCandidateFromCachedSource(entry, cachedSource, behavior.keepResolved);
+        if (entry.source.type === "local") {
+          const currentResolvedPath = fs6.realpathSync(resolved.skill.path);
+          if (currentResolvedPath !== path7.resolve(entry.source.resolvedPath)) {
+            const row = {
+              skillName: entry.skillName,
+              kind: "migrate-required",
+              detail: `local source identity changed; run ${migrateHint(entry.skillName)}`
+            };
+            drift.push(row);
+            assessment.drift.push(row);
+            if (resolved.cleanup && !behavior.keepResolved) {
+              resolved.cleanup();
+              resolved = void 0;
+            }
+            assessments.push(assessment);
+            continue;
+          }
+        }
+        const sourceHash = await hashDirectoryAsync(resolved.skill.path);
+        assessment.sourceHash = sourceHash;
+        assessment.refreshedSource = await buildRefreshedSourceMetadata(
+          entry,
+          resolved,
+          cachedSource,
+          sourceHash
+        );
+        if (sourceHash !== entry.sourceHash) {
+          const row = {
+            skillName: entry.skillName,
+            kind: "changed-source",
+            detail: "source hash changed"
+          };
+          drift.push(row);
+          assessment.drift.push(row);
+        }
+        if (behavior.keepResolved) {
+          assessment.resolved = resolved;
+        }
+      } catch (error) {
+        const asText = error instanceof Error ? error.message : String(error);
+        const migrateRequired = entry.source.type === "local" && (asText.includes("Local source not found") || asText.includes("not found in source"));
+        const row = {
+          skillName: entry.skillName,
+          kind: migrateRequired ? "migrate-required" : "missing-source",
+          detail: migrateRequired ? `local source identity changed; run ${migrateHint(entry.skillName)}` : asText
+        };
+        drift.push(row);
+        assessment.drift.push(row);
+      } finally {
+        if (resolved?.cleanup && !behavior.keepResolved) {
+          resolved.cleanup();
+        }
+      }
+      assessments.push(assessment);
+    }
+    const canonical = listCanonicalSkillDirs(Boolean(options.global), cwd);
+    const lockNames = new Set(lock.entries.map((item) => item.skillName));
+    for (const skillName of canonical) {
+      if (!lockNames.has(skillName) && includeBySkill({ skillName }, options.skill)) {
+        drift.push({
+          skillName,
+          kind: "lock-missing",
+          detail: "installed skill is not tracked in lockfile"
+        });
+      }
+    }
+    return { drift, checked: entries.length, assessments };
+  } finally {
+    if (!behavior.keepResolved) {
+      for (const cachedSourcePromise of sourceCache.values()) {
+        const cachedSource = await cachedSourcePromise.catch(() => null);
+        if (cachedSource?.kind === "prepared") {
+          cachedSource.cleanupNow();
+        }
+      }
+    }
+  }
+}
+
+// ../../packages/core/src/runtime/validate-analysis.ts
+import fs9 from "node:fs";
+import path10 from "node:path";
+import os5 from "node:os";
+import matter2 from "gray-matter";
+
+// ../../packages/core/src/runtime/skill-installer.ts
+import { spawnSync as spawnSync2 } from "node:child_process";
+import fs8 from "node:fs";
+import os4 from "node:os";
+import path9 from "node:path";
+import YAML2 from "yaml";
+import { z } from "zod";
+
+// ../../packages/core/src/runtime/installer-security.ts
+import fs7 from "node:fs";
+import path8 from "node:path";
+function isInsideRoot(rootDir, candidatePath) {
+  const relative = path8.relative(rootDir, candidatePath);
+  return Boolean(relative) && !relative.startsWith("..") && !path8.isAbsolute(relative);
+}
+function toEscapeViolation(source) {
+  return {
+    rule: "installer-local-dependency-path-escape",
+    message: `local dependency escapes source root: ${source}`,
+    severity: "error",
+    blocking: true
+  };
+}
+function evaluateInstallerLocalDependency(input, _options = {}) {
+  if (path8.isAbsolute(input.source)) {
+    return {
+      ok: false,
+      violation: {
+        rule: "installer-local-dependency-absolute-path",
+        message: `absolute local dependency paths are not allowed: ${input.source}`,
+        severity: "error",
+        blocking: true
+      }
+    };
+  }
+  const resolvedRoot = path8.resolve(input.sourceRoot);
+  const resolvedSourcePath = path8.resolve(resolvedRoot, input.source);
+  if (!isInsideRoot(resolvedRoot, resolvedSourcePath)) {
+    return {
+      ok: false,
+      violation: toEscapeViolation(input.source)
+    };
+  }
+  if (fs7.existsSync(resolvedSourcePath)) {
+    const realRoot = fs7.realpathSync.native ? fs7.realpathSync.native(resolvedRoot) : fs7.realpathSync(resolvedRoot);
+    const realSource = fs7.realpathSync.native ? fs7.realpathSync.native(resolvedSourcePath) : fs7.realpathSync(resolvedSourcePath);
+    if (!isInsideRoot(realRoot, realSource)) {
+      return {
+        ok: false,
+        violation: toEscapeViolation(input.source)
+      };
+    }
+  }
+  return {
+    ok: true,
+    resolvedPath: resolvedSourcePath
+  };
+}
+
+// ../../packages/core/src/runtime/policy.ts
+function applyMode(result, mode) {
+  if (mode === "enforce" || result.ok) {
+    return result;
+  }
+  const violation = "violation" in result ? result.violation : void 0;
+  if (!violation) {
+    return result;
+  }
+  return {
+    ok: false,
+    violation: {
+      ...violation,
+      severity: "warning",
+      blocking: false
+    }
+  };
+}
+function evaluateInstallerLocalDependencyPolicy(input, mode) {
+  return applyMode(evaluateInstallerLocalDependency(input, { policyMode: "fixed" }), mode);
+}
+function evaluateHookTrustPolicy(input) {
+  if (input.sourceType !== "well-known") {
+    return { allowed: true };
+  }
+  if (input.trustWellKnown) {
+    return { allowed: true };
+  }
+  if (input.mode === "warn") {
+    return {
+      allowed: true,
+      violation: {
+        rule: "hook-trust-required",
+        message: "Well-known hook commands are untrusted. Proceeding due to warning policy mode.",
+        severity: "warning",
+        blocking: false
+      }
+    };
+  }
+  return {
+    allowed: false,
+    violation: {
+      rule: "hook-trust-required",
+      message: "Blocked skill-installer hook commands for well-known source. Trust this source explicitly or use warning policy mode.",
+      severity: "error",
+      blocking: true
+    }
+  };
+}
+
+// ../../packages/core/src/runtime/skill-installer.ts
+var InstallerSecurityError = class extends Error {
+  violation;
+  constructor(violation) {
+    super(violation.message);
+    this.name = "InstallerSecurityError";
+    this.violation = violation;
+  }
+};
+function isInstallerSecurityError(error) {
+  return error instanceof InstallerSecurityError;
+}
+var InstallerPolicyError = class extends Error {
+  violation;
+  constructor(violation) {
+    super(violation.message);
+    this.name = "InstallerPolicyError";
+    this.violation = violation;
+  }
+};
+function isInstallerPolicyError(error) {
+  return error instanceof InstallerPolicyError;
+}
+var dependencyObjectSchema = z.object({
+  source: z.string().min(1),
+  path: z.string().min(1)
+}).strict();
+var installerConfigSchema = z.object({
+  schemaVersion: z.literal(1),
+  "pre-install": z.array(z.string().min(1)).optional().default([]),
+  dependencies: z.array(z.union([z.string().min(1), dependencyObjectSchema])).optional().default([]),
+  "post-install": z.array(z.string().min(1)).optional().default([])
+}).strict();
+function ensureInsideRoot(rootDir, relativeTarget) {
+  const resolved = path9.resolve(rootDir, relativeTarget);
+  const relative = path9.relative(rootDir, resolved);
+  if (!relative || relative.startsWith("..") || path9.isAbsolute(relative)) {
+    throw new Error(`Unsafe destination path: ${relativeTarget}`);
+  }
+  return resolved;
+}
+function sourceLooksLikeUrl(source) {
+  try {
+    const parsed = new URL(source);
+    return parsed.protocol === "http:" || parsed.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+function sourceLooksLikeRepoShorthand(source) {
+  const trimmed = source.trim().replace(/^https?:\/\//, "");
+  return /^(github\.com|gitlab\.com)\/[^/]+\/[^/]+(?:\.git)?\/?$/.test(trimmed);
+}
+function parseRepoSource(source) {
+  const withoutProtocol = source.trim().replace(/^https?:\/\//, "").replace(/\/+$/, "");
+  const match = withoutProtocol.match(/^(github\.com|gitlab\.com)\/([^/]+)\/([^/]+?)(?:\.git)?$/);
+  if (!match) {
+    throw new Error(`Unsupported repository dependency source: ${source}`);
+  }
+  const host = match[1];
+  const owner = match[2];
+  const repo = match[3];
+  return {
+    repoUrl: `https://${host}/${owner}/${repo}.git`,
+    repoName: repo
+  };
+}
+function deriveDestinationNameFromSource(source) {
+  if (sourceLooksLikeUrl(source)) {
+    const parsed = new URL(source);
+    const parts = parsed.pathname.split("/").filter(Boolean);
+    const leaf2 = parts[parts.length - 1];
+    if (!leaf2) {
+      throw new Error(`Cannot derive dependency name from URL source: ${source}`);
+    }
+    return leaf2;
+  }
+  if (sourceLooksLikeRepoShorthand(source)) {
+    return parseRepoSource(source).repoName;
+  }
+  const leaf = path9.basename(source);
+  if (!leaf || leaf === "." || leaf === path9.sep) {
+    throw new Error(`Cannot derive dependency name from source: ${source}`);
+  }
+  return leaf;
+}
+function classifyDependencySource(source) {
+  if (sourceLooksLikeUrl(source)) {
+    return "url";
+  }
+  if (sourceLooksLikeRepoShorthand(source)) {
+    return "repo";
+  }
+  return "local";
+}
+function parseConfigObject(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    throw new Error("Invalid skill-installer config: expected an object with top-level keys");
+  }
+  const parsed = raw;
+  if (typeof parsed["skill-installer"] !== "undefined") {
+    throw new Error(
+      "Invalid skill-installer config: do not nest under 'skill-installer:'. Use top-level 'pre-install', 'dependencies', and 'post-install'."
+    );
+  }
+  if (Array.isArray(parsed.dependencies)) {
+    const hasLegacyDependency = parsed.dependencies.some((entry) => {
+      if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+        return false;
+      }
+      const row = entry;
+      return typeof row.type !== "undefined" || typeof row.url !== "undefined" || typeof row.name !== "undefined";
+    });
+    if (hasLegacyDependency) {
+      throw new Error(
+        "Invalid skill-installer config: legacy dependency format detected. Use schemaVersion: 1 and the lean dependencies format from docs/proposed-skill-format.md."
+      );
+    }
+  }
+  const validated = installerConfigSchema.safeParse(parsed);
+  if (!validated.success) {
+    const reason = validated.error.issues.map((issue) => issue.message).join("; ");
+    throw new Error(
+      `Invalid skill-installer config: ${reason}. Use docs/proposed-skill-format.md as the source-of-truth for schemaVersion, dependencies, pre-install, and post-install.`
+    );
+  }
+  const normalized = validated.data;
+  return {
+    schemaVersion: 1,
+    preInstall: normalized["pre-install"],
+    dependencies: normalized.dependencies.map(
+      (dep) => typeof dep === "string" ? dep : { source: dep.source, path: dep.path }
+    ),
+    postInstall: normalized["post-install"]
+  };
+}
+function assertNoLegacyInstallerBlock(skillDir) {
+  const openAiYamlPath = path9.join(skillDir, "agents", "openai.yaml");
+  if (!fs8.existsSync(openAiYamlPath) || !fs8.statSync(openAiYamlPath).isFile()) {
+    return;
+  }
+  const parsed = YAML2.parse(fs8.readFileSync(openAiYamlPath, "utf8"));
+  if (parsed && typeof parsed === "object" && typeof parsed["skill-installer"] !== "undefined") {
+    throw new Error(
+      "Legacy skill-installer config detected in agents/openai.yaml. Move it to skill-installer.yaml or skill-installer.json."
+    );
+  }
+}
+function loadInstallerConfig(skillDir) {
+  assertNoLegacyInstallerBlock(skillDir);
+  const yamlPath = path9.join(skillDir, "skill-installer.yaml");
+  const jsonPath = path9.join(skillDir, "skill-installer.json");
+  const hasYaml = fs8.existsSync(yamlPath) && fs8.statSync(yamlPath).isFile();
+  const hasJson = fs8.existsSync(jsonPath) && fs8.statSync(jsonPath).isFile();
+  if (hasYaml && hasJson) {
+    throw new Error(
+      "Both skill-installer.yaml and skill-installer.json exist. Keep only one installer config file."
+    );
+  }
+  if (!hasYaml && !hasJson) {
+    return {
+      schemaVersion: 1,
+      preInstall: [],
+      dependencies: [],
+      postInstall: []
+    };
+  }
+  if (hasYaml) {
+    const parsed = YAML2.parse(fs8.readFileSync(yamlPath, "utf8"));
+    return parseConfigObject(parsed);
+  }
+  const raw = JSON.parse(fs8.readFileSync(jsonPath, "utf8"));
+  return parseConfigObject(raw);
+}
+function runHookPhase(phase, commands, cwd, events) {
+  for (const command of commands) {
+    events.push({
+      level: "info",
+      message: `[skills] ${phase}: ${command}`
+    });
+    const result = spawnSync2("sh", ["-c", command], {
+      cwd,
+      encoding: "utf8",
+      stdio: "pipe"
+    });
+    if (result.status !== 0) {
+      const message = (result.stderr || result.stdout || "command failed").trim().split(/\r?\n/)[0] || "command failed";
+      throw new Error(`${phase} command failed: ${command} (${message})`);
+    }
+  }
+}
+function resolveDependencySourceAndTarget(dep) {
+  if (typeof dep === "string") {
+    return {
+      source: dep,
+      targetPath: deriveDestinationNameFromSource(dep)
+    };
+  }
+  return {
+    source: dep.source,
+    targetPath: dep.path
+  };
+}
+function runGitClone(repoUrl, targetDir) {
+  const result = spawnSync2("git", ["clone", "--depth", "1", repoUrl, targetDir], {
+    encoding: "utf8",
+    stdio: "pipe"
+  });
+  if (result.status !== 0) {
+    const message = (result.stderr || result.stdout || "git clone failed").trim().split(/\r?\n/)[0] || "git clone failed";
+    throw new Error(`Repository dependency clone failed: ${repoUrl} (${message})`);
+  }
+}
+async function prepareDependency(source, targetPath, index, sourceCwd, stagingDir, policyMode, events) {
+  const sourceKind = classifyDependencySource(source);
+  if (sourceKind === "local") {
+    const evaluation = evaluateInstallerLocalDependencyPolicy(
+      {
+        source,
+        sourceRoot: sourceCwd
+      },
+      policyMode
+    );
+    if (!evaluation.ok) {
+      const violation = "violation" in evaluation ? evaluation.violation : void 0;
+      if (!violation) {
+        throw new Error(`Dependency[${index}] policy evaluation failed for source: ${source}`);
+      }
+      if (violation.blocking) {
+        throw new InstallerSecurityError(violation);
+      }
+      events.push({
+        level: "warning",
+        message: `[skills] ${violation.message}`
+      });
+    }
+    const sourcePath = evaluation.ok ? evaluation.resolvedPath : path9.resolve(sourceCwd, source);
+    if (!fs8.existsSync(sourcePath)) {
+      throw new Error(`Dependency[${index}] (local) source not found: ${source}`);
+    }
+    fs8.accessSync(sourcePath, fs8.constants.R_OK);
+    events.push({
+      level: "info",
+      message: `[skills] dependency[${index}] preflight-validated: ${source}`
+    });
+    return {
+      kind: "local",
+      index,
+      targetPath,
+      sourcePath,
+      sourceLabel: source
+    };
+  }
+  if (sourceKind === "repo") {
+    const stagePath = ensureInsideRoot(
+      stagingDir,
+      `repo-${index}-${path9.basename(targetPath).replace(/[^a-zA-Z0-9._-]/g, "_")}`
+    );
+    const { repoUrl } = parseRepoSource(source);
+    runGitClone(repoUrl, stagePath);
+    events.push({
+      level: "info",
+      message: `[skills] dependency[${index}] staged: ${source}`
+    });
+    return {
+      kind: "repo-staged",
+      index,
+      targetPath,
+      repoStagePath: stagePath,
+      sourceLabel: source
+    };
+  }
+  const target = new URL(source);
+  if (target.protocol !== "http:" && target.protocol !== "https:") {
+    throw new Error(`Dependency[${index}] (remote) unsupported protocol: ${target.protocol}`);
+  }
+  const response = await fetch(target.toString());
+  if (!response.ok) {
+    throw new Error(
+      `Dependency[${index}] (remote) download failed: ${response.status} ${response.statusText}`
+    );
+  }
+  const stagedFilePath = ensureInsideRoot(
+    stagingDir,
+    `remote-${index}-${path9.basename(targetPath)}`
+  );
+  fs8.mkdirSync(path9.dirname(stagedFilePath), { recursive: true });
+  fs8.writeFileSync(stagedFilePath, Buffer.from(await response.arrayBuffer()));
+  events.push({
+    level: "info",
+    message: `[skills] dependency[${index}] staged: ${source}`
+  });
+  return {
+    kind: "remote-bytes",
+    index,
+    targetPath,
+    remoteBufferPath: stagedFilePath,
+    sourceLabel: source
+  };
+}
+async function prepareInstallerArtifacts(skillDir, sourceCwd, options = {}) {
+  const config = loadInstallerConfig(skillDir);
+  const sourceType = options.sourceType ?? "local";
+  const allowHookCommands = options.allowHookCommands;
+  const policyMode = options.policyMode ?? "enforce";
+  const events = [];
+  if (config.preInstall.length > 0 || config.postInstall.length > 0) {
+    if (allowHookCommands === false) {
+      throw new Error(
+        "Blocked skill-installer hook commands by caller policy for pre/post install commands."
+      );
+    }
+    const trustDecision = evaluateHookTrustPolicy({
+      sourceType,
+      trustWellKnown: Boolean(options.trustWellKnown),
+      mode: policyMode
+    });
+    if (!trustDecision.allowed && trustDecision.violation) {
+      throw new InstallerPolicyError(trustDecision.violation);
+    }
+    if (trustDecision.allowed && trustDecision.violation?.severity === "warning") {
+      events.push({
+        level: "warning",
+        message: `[skills] ${trustDecision.violation.message}`
+      });
+    }
+  }
+  if (config.preInstall.length === 0 && config.dependencies.length === 0 && config.postInstall.length === 0) {
+    return {
+      preInstall: [],
+      postInstall: [],
+      preparedDependencies: [],
+      stagingDir: "",
+      events
+    };
+  }
+  const stagingDir = fs8.mkdtempSync(path9.join(os4.tmpdir(), "skillspp-installer-stage-"));
+  const preparedDependencies = [];
+  const seenTargetPaths = /* @__PURE__ */ new Set();
+  try {
+    for (let i = 0; i < config.dependencies.length; i += 1) {
+      const dep = config.dependencies[i];
+      const { source, targetPath } = resolveDependencySourceAndTarget(dep);
+      const normalizedTarget = targetPath.replace(/\\/g, "/");
+      if (seenTargetPaths.has(normalizedTarget)) {
+        throw new Error(`Dependency[${i}] duplicate target path: ${targetPath}`);
+      }
+      seenTargetPaths.add(normalizedTarget);
+      const destinationInSkill = ensureInsideRoot(skillDir, targetPath);
+      if (fs8.existsSync(destinationInSkill)) {
+        throw new Error(
+          `Dependency[${i}] destination already exists: ${path9.relative(
+            skillDir,
+            destinationInSkill
+          )}`
+        );
+      }
+      const preparedDep = await prepareDependency(
+        source,
+        targetPath,
+        i,
+        sourceCwd,
+        stagingDir,
+        policyMode,
+        events
+      );
+      preparedDependencies.push(preparedDep);
+    }
+    return {
+      preInstall: config.preInstall,
+      postInstall: config.postInstall,
+      preparedDependencies,
+      stagingDir,
+      events
+    };
+  } catch (error) {
+    fs8.rmSync(stagingDir, { recursive: true, force: true });
+    throw error;
+  }
+}
+function cleanupPreparedInstallerArtifacts(prepared) {
+  if (prepared.stagingDir) {
+    fs8.rmSync(prepared.stagingDir, { recursive: true, force: true });
+  }
+}
+async function applyInstallerArtifacts(installedSkillDir, prepared) {
+  if (prepared.preInstall.length === 0 && prepared.postInstall.length === 0 && prepared.preparedDependencies.length === 0) {
+    return;
+  }
+  runHookPhase("pre-install", prepared.preInstall, installedSkillDir, prepared.events);
+  for (const dep of prepared.preparedDependencies) {
+    const destinationPath = ensureInsideRoot(installedSkillDir, dep.targetPath);
+    if (fs8.existsSync(destinationPath)) {
+      throw new Error(
+        `Dependency[${dep.index}] destination already exists: ${path9.relative(
+          installedSkillDir,
+          destinationPath
+        )}`
+      );
+    }
+    fs8.mkdirSync(path9.dirname(destinationPath), { recursive: true });
+    if (dep.kind === "local") {
+      const stat = fs8.statSync(dep.sourcePath);
+      if (stat.isDirectory()) {
+        fs8.cpSync(dep.sourcePath, destinationPath, {
+          recursive: true,
+          force: false,
+          errorOnExist: true
+        });
+      } else {
+        fs8.copyFileSync(dep.sourcePath, destinationPath);
+      }
+    } else if (dep.kind === "remote-bytes") {
+      fs8.copyFileSync(dep.remoteBufferPath, destinationPath);
+    } else {
+      try {
+        fs8.renameSync(dep.repoStagePath, destinationPath);
+      } catch (error) {
+        const code = typeof error === "object" && error !== null && "code" in error && typeof error.code === "string" ? error.code : "";
+        if (code !== "EXDEV") {
+          throw error;
+        }
+        fs8.cpSync(dep.repoStagePath, destinationPath, {
+          recursive: true,
+          force: false,
+          errorOnExist: true
+        });
+      }
+    }
+    prepared.events.push({
+      level: "info",
+      message: `[skills] dependency[${dep.index}] installed: ${dep.targetPath}`
+    });
+  }
+  runHookPhase("post-install", prepared.postInstall, installedSkillDir, prepared.events);
+}
+
+// ../../packages/core/src/contracts/errors/core-error.ts
+var CoreError = class extends Error {
+  code;
+  details;
+  cause;
+  constructor(input) {
+    super(input.message);
+    this.name = "CoreError";
+    this.code = input.code;
+    this.details = input.details;
+    this.cause = input.cause;
+  }
+};
+
+// ../../packages/core/src/runtime/validate-analysis.ts
+var DEFAULT_MAX_LINES = 500;
+var DEFAULT_MAX_DESCRIPTION = 1024;
+function resolveThresholds(options) {
+  return {
+    maxLines: options.maxLines || DEFAULT_MAX_LINES,
+    maxDescriptionChars: options.maxDescriptionChars || DEFAULT_MAX_DESCRIPTION
+  };
+}
+function addDiagnostic(list, diagnostic) {
+  list.push(diagnostic);
+}
+function discoverMarkdownReferences(content) {
+  const refs = /* @__PURE__ */ new Set();
+  const markdownLinkPattern = /\[[^\]]+\]\(([^)]+)\)/g;
+  let match;
+  while ((match = markdownLinkPattern.exec(content)) !== null) {
+    const value = match[1].trim();
+    if (!value || value.startsWith("http://") || value.startsWith("https://") || value.startsWith("#")) {
+      continue;
+    }
+    refs.add(value);
+  }
+  return [...refs];
+}
+var typeRules = [
+  {
+    id: "framework-references-dir",
+    when: (frontmatter) => frontmatter.type === "framework",
+    validate: ({ skillDir, skillName, diagnostics }) => {
+      const referencesDir = path10.join(skillDir, "references");
+      if (!fs9.existsSync(referencesDir) || !fs9.statSync(referencesDir).isDirectory()) {
+        addDiagnostic(diagnostics, {
+          severity: "error",
+          skill: skillName,
+          file: referencesDir,
+          rule: "framework-references-required",
+          message: "framework skills must contain a references directory"
+        });
+      }
+    }
+  }
+];
+async function validateInstallerDependencies(skillDir, sourceRoot, diagnostics, skillName) {
+  const installerConfigPath = fs9.existsSync(path10.join(skillDir, "skill-installer.yaml")) ? path10.join(skillDir, "skill-installer.yaml") : path10.join(skillDir, "skill-installer.json");
+  try {
+    const installer = loadInstallerConfig(skillDir);
+    const fallbackRoots = Array.from(
+      /* @__PURE__ */ new Set([path10.resolve(sourceRoot), path10.resolve(process.cwd())])
+    );
+    let hasSecurityViolation = false;
+    for (const dep of installer.dependencies) {
+      const source = typeof dep === "string" ? dep : dep.source;
+      const kind = classifyDependencySource(source);
+      if (kind !== "local") {
+        continue;
+      }
+      let accepted = false;
+      let securityViolation;
+      for (const root of fallbackRoots) {
+        const evaluated = evaluateInstallerLocalDependencyPolicy(
+          {
+            source,
+            sourceRoot: root
+          },
+          "enforce"
+        );
+        if (evaluated.ok) {
+          accepted = true;
+          break;
+        } else {
+          securityViolation = "violation" in evaluated ? evaluated.violation : void 0;
+        }
+      }
+      if (!accepted && securityViolation) {
+        hasSecurityViolation = true;
+        addDiagnostic(diagnostics, {
+          severity: securityViolation.severity,
+          skill: skillName,
+          file: installerConfigPath,
+          rule: securityViolation.rule,
+          message: securityViolation.message
+        });
+      }
+    }
+    if (hasSecurityViolation) {
+      return;
+    }
+    const tempSkillDir = fs9.mkdtempSync(path10.join(os5.tmpdir(), "skillspp-validate-installer-"));
+    try {
+      const filesToCopy = ["SKILL.md", "skill-installer.yaml", "skill-installer.json"];
+      for (const fileName of filesToCopy) {
+        const src = path10.join(skillDir, fileName);
+        if (fs9.existsSync(src) && fs9.statSync(src).isFile()) {
+          fs9.copyFileSync(src, path10.join(tempSkillDir, fileName));
+        }
+      }
+      const agentsDir = path10.join(skillDir, "agents");
+      if (fs9.existsSync(agentsDir) && fs9.statSync(agentsDir).isDirectory()) {
+        fs9.cpSync(agentsDir, path10.join(tempSkillDir, "agents"), {
+          recursive: true,
+          force: true
+        });
+      }
+      let preparedSuccess = false;
+      let lastMissingSourceError;
+      let securityError;
+      for (const root of fallbackRoots) {
+        try {
+          const prepared = await prepareInstallerArtifacts(tempSkillDir, root, {
+            sourceType: "local",
+            allowHookCommands: false,
+            policyMode: "enforce"
+          });
+          cleanupPreparedInstallerArtifacts(prepared);
+          preparedSuccess = true;
+          break;
+        } catch (error) {
+          if (isInstallerSecurityError(error)) {
+            securityError = error;
+            break;
+          }
+          if (isInstallerPolicyError(error)) {
+            securityError = error;
+            break;
+          }
+          const message = error instanceof Error ? error.message : String(error);
+          if (message.includes("(local) source not found")) {
+            lastMissingSourceError = error;
+            continue;
+          }
+          throw error;
+        }
+      }
+      if (!preparedSuccess && securityError) {
+        throw securityError;
+      }
+      if (!preparedSuccess && lastMissingSourceError) {
+        throw lastMissingSourceError;
+      }
+    } finally {
+      fs9.rmSync(tempSkillDir, { recursive: true, force: true });
+    }
+  } catch (error) {
+    if (isInstallerSecurityError(error)) {
+      addDiagnostic(diagnostics, {
+        severity: error.violation.severity,
+        skill: skillName,
+        file: installerConfigPath,
+        rule: error.violation.rule,
+        message: error.violation.message
+      });
+      return;
+    }
+    if (isInstallerPolicyError(error)) {
+      addDiagnostic(diagnostics, {
+        severity: "error",
+        skill: skillName,
+        file: installerConfigPath,
+        rule: error.violation.rule,
+        message: error.violation.message
+      });
+      return;
+    }
+    addDiagnostic(diagnostics, {
+      severity: "warning",
+      skill: skillName,
+      file: installerConfigPath,
+      rule: "missing-installer-local-dependency",
+      message: error instanceof Error ? error.message : String(error)
+    });
+  }
+}
+async function validateSkillDir(skillDir, sourceRoot, diagnostics, strict, thresholds) {
+  const skillMd = path10.join(skillDir, "SKILL.md");
+  const skillName = path10.basename(skillDir);
+  if (!fs9.existsSync(skillMd)) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: skillName,
+      file: skillMd,
+      rule: "missing-skill-md",
+      message: "SKILL.md is required"
+    });
+    return;
+  }
+  const content = fs9.readFileSync(skillMd, "utf8");
+  const lines = content.split(/\r?\n/);
+  if (lines.length > thresholds.maxLines) {
+    addDiagnostic(diagnostics, {
+      severity: strict ? "error" : "warning",
+      skill: skillName,
+      file: skillMd,
+      rule: "line-budget",
+      message: `SKILL.md has ${lines.length} lines (limit ${thresholds.maxLines})`
+    });
+  }
+  let parsed;
+  try {
+    parsed = matter2(content);
+  } catch (error) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: skillName,
+      file: skillMd,
+      rule: "invalid-frontmatter",
+      message: error instanceof Error ? error.message : "frontmatter parsing failed"
+    });
+    return;
+  }
+  const data = parsed.data || {};
+  const name = data.name;
+  const description = data.description;
+  if (typeof name !== "string" || !name.trim()) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: skillName,
+      file: skillMd,
+      rule: "missing-name",
+      message: "frontmatter field 'name' is required"
+    });
+  }
+  if (typeof description !== "string" || !description.trim()) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: skillName,
+      file: skillMd,
+      rule: "missing-description",
+      message: "frontmatter field 'description' is required"
+    });
+  } else if (description.length > thresholds.maxDescriptionChars) {
+    addDiagnostic(diagnostics, {
+      severity: strict ? "error" : "warning",
+      skill: skillName,
+      file: skillMd,
+      rule: "description-budget",
+      message: `description has ${description.length} chars (limit ${thresholds.maxDescriptionChars})`
+    });
+  }
+  if (typeof name === "string" && name.trim()) {
+    const normalized = name.trim().toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^[.-]+|[.-]+$/g, "");
+    if (normalized && normalized !== skillName.toLowerCase()) {
+      addDiagnostic(diagnostics, {
+        severity: "error",
+        skill: skillName,
+        file: skillMd,
+        rule: "name-path-mismatch",
+        message: `frontmatter name '${name}' does not match directory '${skillName}'`
+      });
+    }
+  }
+  for (const ref of discoverMarkdownReferences(content)) {
+    const resolved = path10.resolve(skillDir, ref);
+    const rel = path10.relative(skillDir, resolved);
+    if (!rel || rel.startsWith("..") || path10.isAbsolute(rel)) {
+      continue;
+    }
+    if (!fs9.existsSync(resolved)) {
+      addDiagnostic(diagnostics, {
+        severity: "error",
+        skill: skillName,
+        file: skillMd,
+        rule: "missing-reference",
+        message: `referenced path not found: ${ref}`
+      });
+    }
+  }
+  for (const rule of typeRules) {
+    if (rule.when(data)) {
+      rule.validate({ skillDir, skillName, diagnostics });
+    }
+  }
+  await validateInstallerDependencies(skillDir, sourceRoot, diagnostics, skillName);
+}
+async function stageAndValidateLocalRoot(rootPath, dependencyRoot, seenSkillPaths, diagnostics, strict, thresholds, emitProgress) {
+  const resolvedRoot = path10.resolve(rootPath);
+  if (!fs9.existsSync(resolvedRoot) || !fs9.statSync(resolvedRoot).isDirectory()) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: path10.basename(resolvedRoot),
+      file: resolvedRoot,
+      rule: "missing-root",
+      message: "validation root does not exist"
+    });
+    return;
+  }
+  await emitProgress?.("discovering candidate skills");
+  const skills = discoverSkills(resolvedRoot);
+  if (skills.length === 0) {
+    addDiagnostic(diagnostics, {
+      severity: "error",
+      skill: path10.basename(resolvedRoot),
+      file: resolvedRoot,
+      rule: "no-skills-discovered",
+      message: "no SKILL.md files discovered"
+    });
+    return;
+  }
+  for (const skill of skills) {
+    const resolvedSkillPath = path10.resolve(skill.path);
+    if (seenSkillPaths.has(resolvedSkillPath)) {
+      continue;
+    }
+    seenSkillPaths.add(resolvedSkillPath);
+    await emitProgress?.(`validating ${skill.name}`);
+    await validateSkillDir(skill.path, dependencyRoot, diagnostics, strict, thresholds);
+  }
+}
+async function stageAndValidateSource(options, diagnostics, thresholds, emitProgress) {
+  if (!options.source) {
+    throw new CoreError({
+      code: "VALIDATION_MISSING_SOURCE",
+      message: "validate requires a source unless CI mode is enabled"
+    });
+  }
+  await emitProgress?.("parsing source");
+  const parsed = parseSource(options.source);
+  if (parsed.type === "well-known" || parsed.type === "catalog") {
+    await emitProgress?.("discovering candidate skills");
+    const remote = parsed.type === "well-known" ? await resolveWellKnownSkills(parsed.url, {
+      allowHost: options.allowHost,
+      denyHost: options.denyHost,
+      maxDownloadBytes: options.maxDownloadBytes,
+      experimental: options.experimental
+    }) : await resolveCatalogSkills(parsed.url, {
+      allowHost: options.allowHost,
+      denyHost: options.denyHost,
+      maxDownloadBytes: options.maxDownloadBytes,
+      experimental: options.experimental
+    });
+    if (remote.length === 0) {
+      addDiagnostic(diagnostics, {
+        severity: "error",
+        skill: parsed.url,
+        file: parsed.url,
+        rule: "no-skills-discovered",
+        message: "no SKILL.md files discovered"
+      });
+      return;
+    }
+    const stagedRoots = [];
+    try {
+      for (const remoteSkill of remote) {
+        const staged2 = stageRemoteSkillFilesToTempDir(remoteSkill.files, {
+          prefix: "skillspp-validate-"
+        });
+        stagedRoots.push(staged2);
+        await emitProgress?.(`validating ${remoteSkill.installName}`);
+        await validateSkillDir(
+          staged2.path,
+          staged2.path,
+          diagnostics,
+          Boolean(options.strict),
+          thresholds
+        );
+      }
+    } finally {
+      for (const staged2 of stagedRoots) {
+        staged2.cleanup();
+      }
+    }
+    return;
+  }
+  const staged = prepareSourceDir(parsed);
+  try {
+    await emitProgress?.("staging source");
+    await stageAndValidateLocalRoot(
+      staged.basePath,
+      staged.basePath,
+      /* @__PURE__ */ new Set(),
+      diagnostics,
+      Boolean(options.strict),
+      thresholds,
+      emitProgress
+    );
+  } finally {
+    if (staged.cleanup) {
+      staged.cleanup();
+    }
+  }
+}
+async function runValidateAnalysis(options, emitProgress) {
+  const diagnostics = [];
+  const thresholds = resolveThresholds(options);
+  const seenSkillPaths = /* @__PURE__ */ new Set();
+  if (options.ci) {
+    await emitProgress?.("staging source");
+    const roots = options.roots && options.roots.length > 0 ? options.roots : [process.cwd()];
+    if (roots.length === 0) {
+      throw new Error("No CI roots found to validate");
+    }
+    await emitProgress?.("discovering candidate skills");
+    for (const root of roots) {
+      await stageAndValidateLocalRoot(
+        root,
+        process.cwd(),
+        seenSkillPaths,
+        diagnostics,
+        Boolean(options.strict),
+        thresholds,
+        emitProgress
+      );
+    }
+  } else {
+    await stageAndValidateSource(options, diagnostics, thresholds, emitProgress);
+  }
+  await emitProgress?.("collecting diagnostics");
+  return { diagnostics };
+}
+
+// ../../packages/core/src/runtime/installer.ts
+import fs10 from "node:fs";
+import path11 from "node:path";
+function sanitizeSkillName(name) {
+  const sanitized = name.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^[.-]+|[.-]+$/g, "");
+  return sanitized || "unnamed-skill";
+}
+function ensureSafeInside(baseDir, target) {
+  const resolvedBase = path11.resolve(baseDir);
+  const resolvedTarget = path11.resolve(target);
+  if (!(resolvedTarget === resolvedBase || resolvedTarget.startsWith(`${resolvedBase}${path11.sep}`))) {
+    throw new Error(`Unsafe path detected: ${target}`);
+  }
+}
+function symlinkRelative(target, linkPath) {
+  const parent = path11.dirname(linkPath);
+  const relative = path11.relative(parent, target);
+  const symlinkType = process.platform === "win32" ? "junction" : void 0;
+  fs10.symlinkSync(relative, linkPath, symlinkType);
+}
+function installToAgent(itemName, canonicalDir, agent, mode, globalInstall, cwd, resolveAgentBaseDir) {
+  const agentBase = resolveAgentBaseDir(agent, globalInstall, cwd);
+  const agentDir = path11.join(agentBase, itemName);
+  fs10.mkdirSync(agentBase, { recursive: true });
+  ensureSafeInside(agentBase, agentDir);
+  if (path11.resolve(agentDir) === path11.resolve(canonicalDir)) {
+    return { agent, path: canonicalDir, mode };
+  }
+  if (mode === "copy") {
+    fs10.rmSync(agentDir, { recursive: true, force: true });
+    fs10.cpSync(canonicalDir, agentDir, { recursive: true, force: true });
+    return { agent, path: agentDir, mode };
+  }
+  try {
+    fs10.rmSync(agentDir, { recursive: true, force: true });
+    symlinkRelative(canonicalDir, agentDir);
+    return { agent, path: agentDir, mode: "symlink" };
+  } catch {
+    fs10.rmSync(agentDir, { recursive: true, force: true });
+    fs10.cpSync(canonicalDir, agentDir, { recursive: true, force: true });
+    return { agent, path: agentDir, mode: "copy" };
+  }
+}
+function installSkillToAgent(skillName, canonicalDir, agent, mode, globalInstall, cwd) {
+  return installToAgent(
+    skillName,
+    canonicalDir,
+    agent,
+    mode,
+    globalInstall,
+    cwd,
+    getAgentSkillsDir
+  );
+}
+function installToCanonicalDir(sourcePath, itemName, canonicalBase) {
+  const canonicalDir = path11.join(canonicalBase, itemName);
+  fs10.mkdirSync(canonicalBase, { recursive: true });
+  ensureSafeInside(canonicalBase, canonicalDir);
+  fs10.rmSync(canonicalDir, { recursive: true, force: true });
+  fs10.cpSync(sourcePath, canonicalDir, { recursive: true, force: true });
+  return canonicalDir;
+}
+function installSkill(skill, agents, options) {
+  if (agents.length === 0) {
+    throw new Error("At least one target agent is required for installation.");
+  }
+  const uniqueAgents = Array.from(new Set(agents));
+  const skillName = sanitizeSkillName(skill.name);
+  const canonicalAgent = uniqueAgents[0];
+  const canonicalBase = getAgentSkillsDir(canonicalAgent, options.globalInstall, options.cwd);
+  const canonicalDir = installToCanonicalDir(skill.path, skillName, canonicalBase);
+  const installedTo = [
+    { agent: canonicalAgent, path: canonicalDir, mode: options.mode },
+    ...uniqueAgents.slice(1).map(
+      (agent) => installSkillToAgent(
+        skillName,
+        canonicalDir,
+        agent,
+        options.mode,
+        options.globalInstall,
+        options.cwd
+      )
+    )
+  ];
+  return {
+    skillName,
+    canonicalDir,
+    installedTo
+  };
+}
+
+// ../../packages/core/src/sources/scanner.ts
+import fs11 from "node:fs";
+import os6 from "node:os";
+import path12 from "node:path";
+function listDirs(dir) {
+  if (!fs11.existsSync(dir) || !fs11.statSync(dir).isDirectory()) {
+    return [];
+  }
+  return fs11.readdirSync(dir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => entry.name);
+}
+function detectLocalGlobalConflicts(cwd) {
+  const localDir = path12.join(cwd, ".agents", "skills");
+  const globalDir = path12.join(os6.homedir(), ".config", "agents", "skills");
+  const local = new Set(listDirs(localDir));
+  const global = new Set(listDirs(globalDir));
+  const overlap = [...local].filter((name) => global.has(name));
+  return overlap.sort((a, b) => a.localeCompare(b)).map((skillName) => ({
+    skillName,
+    winner: "local"
+  }));
+}
+function readPackageMeta(packageDir) {
+  const packageJson = path12.join(packageDir, "package.json");
+  if (!fs11.existsSync(packageJson) || !fs11.statSync(packageJson).isFile()) {
+    return {
+      name: path12.basename(packageDir),
+      version: "0.0.0"
+    };
+  }
+  const parsed = JSON.parse(fs11.readFileSync(packageJson, "utf8"));
+  return {
+    name: parsed.name || path12.basename(packageDir),
+    version: parsed.version || "0.0.0"
+  };
+}
+function collectSkillsFromPackage(packageDir, depth, out) {
+  const meta = readPackageMeta(packageDir);
+  const skillsDir = path12.join(packageDir, "skills");
+  if (fs11.existsSync(skillsDir) && fs11.statSync(skillsDir).isDirectory()) {
+    for (const entry of fs11.readdirSync(skillsDir, { withFileTypes: true })) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      const skillDir = path12.join(skillsDir, entry.name);
+      const skillMd = path12.join(skillDir, "SKILL.md");
+      if (!fs11.existsSync(skillMd) || !fs11.statSync(skillMd).isFile()) {
+        continue;
+      }
+      out.push({
+        skillName: entry.name,
+        skillDir,
+        packageName: meta.name,
+        packageVersion: meta.version,
+        depth
+      });
+    }
+  }
+}
+function walkNodeModules(nodeModulesDir, depth, maxDepth, seen, out) {
+  const resolvedNodeModules = path12.resolve(nodeModulesDir);
+  if (seen.has(resolvedNodeModules) || depth > maxDepth) {
+    return;
+  }
+  seen.add(resolvedNodeModules);
+  if (!fs11.existsSync(resolvedNodeModules) || !fs11.statSync(resolvedNodeModules).isDirectory()) {
+    return;
+  }
+  for (const entry of fs11.readdirSync(resolvedNodeModules, {
+    withFileTypes: true
+  })) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    if (entry.name.startsWith("@")) {
+      const scopeDir = path12.join(resolvedNodeModules, entry.name);
+      for (const scoped of fs11.readdirSync(scopeDir, { withFileTypes: true })) {
+        if (!scoped.isDirectory()) {
+          continue;
+        }
+        const packageDir2 = path12.join(scopeDir, scoped.name);
+        collectSkillsFromPackage(packageDir2, depth, out);
+        walkNodeModules(path12.join(packageDir2, "node_modules"), depth + 1, maxDepth, seen, out);
+      }
+      continue;
+    }
+    const packageDir = path12.join(resolvedNodeModules, entry.name);
+    collectSkillsFromPackage(packageDir, depth, out);
+    walkNodeModules(path12.join(packageDir, "node_modules"), depth + 1, maxDepth, seen, out);
+  }
+}
+function discoverTransitiveSkillCandidates(cwd, options = {}) {
+  const maxDepth = options.maxDepth ?? 8;
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  walkNodeModules(path12.join(cwd, "node_modules"), 0, maxDepth, seen, out);
+  return out.sort((a, b) => {
+    if (a.skillName !== b.skillName) {
+      return a.skillName.localeCompare(b.skillName);
+    }
+    if (a.depth !== b.depth) {
+      return a.depth - b.depth;
+    }
+    if (a.packageName !== b.packageName) {
+      return a.packageName.localeCompare(b.packageName);
+    }
+    if (a.packageVersion !== b.packageVersion) {
+      return b.packageVersion.localeCompare(a.packageVersion);
+    }
+    return a.skillDir.localeCompare(b.skillDir);
+  });
+}
+function detectTransitiveSkillConflicts(candidates) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const candidate of candidates) {
+    const rows = grouped.get(candidate.skillName) || [];
+    rows.push(candidate);
+    grouped.set(candidate.skillName, rows);
+  }
+  const conflicts = [];
+  for (const [skillName, rows] of grouped) {
+    if (rows.length <= 1) {
+      continue;
+    }
+    const sorted = [...rows].sort((a, b) => {
+      if (a.depth !== b.depth) {
+        return a.depth - b.depth;
+      }
+      if (a.packageName !== b.packageName) {
+        return a.packageName.localeCompare(b.packageName);
+      }
+      if (a.packageVersion !== b.packageVersion) {
+        return b.packageVersion.localeCompare(a.packageVersion);
+      }
+      return a.skillDir.localeCompare(b.skillDir);
+    });
+    conflicts.push({
+      skillName,
+      winner: sorted[0],
+      losers: sorted.slice(1)
+    });
+  }
+  return conflicts.sort((a, b) => a.skillName.localeCompare(b.skillName));
+}
+
+// ../../packages/core/src/runtime/installer-scaffold.ts
+import fs12 from "node:fs";
+import path13 from "node:path";
+import YAML3 from "yaml";
+function installerConfigSkeleton() {
+  return {
+    schemaVersion: 1,
+    dependencies: [],
+    "pre-install": [],
+    "post-install": []
+  };
+}
+function isFile(filePath) {
+  return fs12.existsSync(filePath) && fs12.statSync(filePath).isFile();
+}
+function getInstallerConfigState(skillDir) {
+  const yamlPath = path13.join(skillDir, "skill-installer.yaml");
+  const jsonPath = path13.join(skillDir, "skill-installer.json");
+  const hasYaml = isFile(yamlPath);
+  const hasJson = isFile(jsonPath);
+  if (hasYaml && hasJson) {
+    throw new Error(
+      "Both skill-installer.yaml and skill-installer.json exist. Keep only one installer config file."
+    );
+  }
+  return {
+    yamlPath,
+    jsonPath,
+    hasYaml,
+    hasJson,
+    missing: !hasYaml && !hasJson
+  };
+}
+function listSkillsMissingInstallerConfig(skillDirs) {
+  return skillDirs.filter((skillDir) => getInstallerConfigState(skillDir).missing);
+}
+function scaffoldInstallerConfigFile(skillDir, format) {
+  const state = getInstallerConfigState(skillDir);
+  if (!state.missing) {
+    return { created: false };
+  }
+  const content = format === "yaml" ? YAML3.stringify(installerConfigSkeleton()) : JSON.stringify(installerConfigSkeleton(), null, 2);
+  const destinationPath = format === "yaml" ? state.yamlPath : state.jsonPath;
+  fs12.writeFileSync(destinationPath, `${content}
+`, "utf8");
+  return { created: true, filePath: destinationPath };
+}
+function scaffoldInstallerConfigForSkills(skillDirs, format) {
+  const created = [];
+  for (const skillDir of skillDirs) {
+    const result = scaffoldInstallerConfigFile(skillDir, format);
+    if (result.created && result.filePath) {
+      created.push(result.filePath);
+    }
+  }
+  return created;
+}
+
+// ../../packages/core/src/runtime/background-tasks.ts
+function serializeAssessments(assessments) {
+  return assessments.map((assessment) => ({
+    entry: assessment.entry,
+    drift: assessment.drift
+  }));
+}
+function resolveAddGlobalInstall(options) {
+  if (options.globalFlagProvided) {
+    return Boolean(options.global);
+  }
+  return false;
+}
+function resolveAddInstallMode(options) {
+  if (options.symlinkFlagProvided) {
+    return "symlink";
+  }
+  return "copy";
+}
+function resolveAddInstallerScaffoldFormat(options, missingCount) {
+  if (missingCount === 0) {
+    return void 0;
+  }
+  return options.yaml ? "yaml" : "json";
+}
+function sourceHashForInstalledSkill(options) {
+  if (options.parsedSource.type === "local") {
+    return hashDirectory(options.skillPath);
+  }
+  return options.beforeHash || hashDirectory(options.skillPath);
+}
+function canonicalSourceIdentity(options) {
+  if (options.parsedSource.type === "local") {
+    return options.parsedSource.localPath;
+  }
+  if (options.parsedSource.type === "well-known") {
+    return options.wellKnownSourceUrl || options.parsedSource.url;
+  }
+  if (options.parsedSource.type === "catalog") {
+    return options.wellKnownSourceUrl || options.parsedSource.url;
+  }
+  if (options.parsedSource.type === "github") {
+    const suffix = options.parsedSource.subpath ? `#${options.parsedSource.subpath}` : "";
+    return `${options.parsedSource.repoUrl}${suffix}`;
+  }
+  return options.parsedSource.repoUrl;
+}
+function resolveSafeRealPath2(inputPath) {
+  try {
+    return fs13.realpathSync(inputPath);
+  } catch {
+    return path14.resolve(inputPath);
+  }
+}
+function isLocalSymlinkSource2(localPath) {
+  try {
+    if (!fs13.existsSync(localPath)) {
+      return false;
+    }
+    return fs13.lstatSync(localPath).isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
+function lockfileNameForFormat(format) {
+  return format === "yaml" ? "skillspp-lock.yaml" : "skillspp-lock.json";
+}
+function staleLockfileNameForFormat(format) {
+  return format === "yaml" ? "skillspp-lock.json" : "skillspp-lock.yaml";
+}
+function propagateLockfileVisibility(options) {
+  const lockName = lockfileNameForFormat(options.lockFormat);
+  const staleLockName = staleLockfileNameForFormat(options.lockFormat);
+  const canonicalLockPath = path14.join(options.canonicalDir, lockName);
+  const canonicalRealPath = fs13.existsSync(options.canonicalDir) ? fs13.realpathSync(options.canonicalDir) : path14.resolve(options.canonicalDir);
+  for (const targetDir of options.targetDirs) {
+    const targetRealPath = fs13.existsSync(targetDir) ? fs13.realpathSync(targetDir) : path14.resolve(targetDir);
+    if (targetRealPath === canonicalRealPath) {
+      continue;
+    }
+    const targetLockPath = path14.join(targetDir, lockName);
+    const staleTargetPath = path14.join(targetDir, staleLockName);
+    fs13.copyFileSync(canonicalLockPath, targetLockPath);
+    if (fs13.existsSync(staleTargetPath)) {
+      fs13.rmSync(staleTargetPath, { force: true });
+    }
+  }
+}
+function writeLockEntryAfterInstall(options) {
+  const installedHash = hashDirectory(options.outcome.canonicalDir);
+  const resourceKind = options.resourceKind || "skill";
+  const lock = readResourceLockfile(resourceKind, options.globalInstall, options.cwd);
+  const entry = {
+    skillName: options.outcome.skillName,
+    global: options.globalInstall,
+    installMode: options.mode,
+    agents: options.outcome.installedTo.map((row) => row.agent),
+    canonicalDir: options.outcome.canonicalDir,
+    source: {
+      input: options.sourceInput,
+      type: options.sourceType,
+      canonical: options.sourceCanonical,
+      pinnedRef: options.sourcePinnedRef,
+      resolvedPath: options.sourceResolvedPath,
+      isSymlinkSource: options.sourceIsSymlink,
+      selector: {
+        skillName: options.sourceSkillName,
+        relativePath: options.sourceSkillPath,
+        wellKnownSourceUrl: options.wellKnownSourceUrl
+      }
+    },
+    sourceHash: options.sourceHash,
+    installedHash,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const next = upsertResourceLockEntry(lock, entry);
+  writeResourceLockfile(
+    resourceKind,
+    options.globalInstall,
+    options.cwd,
+    next,
+    options.lockFormat || "json"
+  );
+  const selectedFormat = options.lockFormat || "json";
+  propagateLockfileVisibility({
+    canonicalDir: options.outcome.canonicalDir,
+    targetDirs: options.outcome.installedTo.map((destination) => destination.path),
+    lockFormat: selectedFormat
+  });
+  const staleLockPath = path14.join(
+    options.outcome.canonicalDir,
+    staleLockfileNameForFormat(selectedFormat)
+  );
+  if (fs13.existsSync(staleLockPath)) {
+    fs13.rmSync(staleLockPath, { force: true });
+  }
+}
+function buildRemoteSkill(remote) {
+  const staged = stageRemoteSkillFilesToTempDir(remote.files);
+  return {
+    skill: {
+      name: remote.installName,
+      description: remote.description,
+      path: staged.path
+    },
+    cleanup: staged.cleanup
+  };
+}
+async function runCheckScanTask(cwd, options, emitProgress) {
+  await emitProgress("checking drift");
+  const assessed = await assessLockEntries(options, cwd, {
+    keepResolved: false
+  });
+  await emitProgress("checking local/global conflicts");
+  const conflicts = detectLocalGlobalConflicts(cwd);
+  await emitProgress("checking transitive conflicts");
+  const transitiveCandidates = discoverTransitiveSkillCandidates(cwd);
+  const transitiveConflicts = detectTransitiveSkillConflicts(transitiveCandidates);
+  return {
+    drift: assessed.drift,
+    checked: assessed.checked,
+    conflicts,
+    transitiveConflicts
+  };
+}
+async function runUpdateAssessTask(cwd, options, emitProgress) {
+  await emitProgress("assessing drift");
+  const assessed = await assessLockEntries(options, cwd, {
+    keepResolved: false
+  });
+  return {
+    assessments: serializeAssessments(assessed.assessments)
+  };
+}
+function createBackupDir(skillName, sourceDir) {
+  const backupRoot = fs13.mkdtempSync(path14.join(os7.tmpdir(), "skillspp-update-backup-"));
+  const backupDir = path14.join(backupRoot, skillName);
+  fs13.mkdirSync(backupDir, { recursive: true });
+  fs13.cpSync(sourceDir, backupDir, { recursive: true, force: true });
+  return backupDir;
+}
+async function applyEntryUpdate(assessment, options, cwd) {
+  const { entry } = assessment;
+  if (!assessment.resolved || !assessment.sourceHash) {
+    throw new Error(`No resolved source available for ${entry.skillName}`);
+  }
+  const resolved = assessment.resolved;
+  const sourceHash = assessment.sourceHash;
+  const backupDir = createBackupDir(entry.skillName, entry.canonicalDir);
+  try {
+    const preparedInstaller = await prepareInstallerArtifacts(resolved.skill.path, cwd, {
+      sourceType: entry.source.type,
+      policyMode: options.policyMode || "enforce",
+      trustWellKnown: Boolean(options.trustWellKnown)
+    });
+    const outcome = installSkill(resolved.skill, entry.agents, {
+      mode: entry.installMode,
+      globalInstall: entry.global,
+      cwd
+    });
+    try {
+      await applyInstallerArtifacts(outcome.canonicalDir, preparedInstaller);
+    } finally {
+      cleanupPreparedInstallerArtifacts(preparedInstaller);
+    }
+    const installedHash = await hashDirectoryAsync(outcome.canonicalDir);
+    return {
+      ...entry,
+      source: {
+        ...entry.source,
+        canonical: assessment.refreshedSource?.canonical ?? entry.source.canonical,
+        pinnedRef: assessment.refreshedSource?.pinnedRef ?? entry.source.pinnedRef,
+        resolvedPath: assessment.refreshedSource?.resolvedPath ?? entry.source.resolvedPath,
+        isSymlinkSource: assessment.refreshedSource?.isSymlinkSource ?? entry.source.isSymlinkSource,
+        selector: {
+          ...entry.source.selector,
+          relativePath: assessment.refreshedSource?.sourceSkillPath ?? entry.source.selector.relativePath,
+          wellKnownSourceUrl: assessment.refreshedSource?.wellKnownSourceUrl ?? entry.source.selector.wellKnownSourceUrl
+        }
+      },
+      sourceHash,
+      installedHash,
+      canonicalDir: outcome.canonicalDir,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } catch (error) {
+    const rollbackSkill = {
+      name: entry.skillName,
+      description: `Rollback for ${entry.skillName}`,
+      path: backupDir
+    };
+    installSkill(rollbackSkill, entry.agents, {
+      mode: entry.installMode,
+      globalInstall: entry.global,
+      cwd
+    });
+    throw error;
+  } finally {
+    fs13.rmSync(path14.dirname(backupDir), { recursive: true, force: true });
+    if (resolved.cleanup) {
+      resolved.cleanup();
+    }
+  }
+}
+async function runUpdateApplyTask(payload, emitProgress) {
+  const selectedOptions = {
+    ...payload.options,
+    skill: payload.selectedSkillNames
+  };
+  await emitProgress("assessing selected skills");
+  const assessed = await assessLockEntries(selectedOptions, payload.cwd, {
+    keepResolved: true
+  });
+  const candidateAssessments = assessed.assessments.filter(
+    (assessment) => !assessment.drift.some((item) => item.kind === "migrate-required") && assessment.drift.some(
+      (item) => item.kind === "changed-source" || item.kind === "local-modified"
+    )
+  );
+  let nextLock = readLockfile(Boolean(payload.options.global), payload.cwd);
+  const updatedEntries = [];
+  const ordered = [...candidateAssessments].sort(
+    (a, b) => a.entry.skillName.localeCompare(b.entry.skillName)
+  );
+  try {
+    for (const assessment of ordered) {
+      await emitProgress(`updating ${assessment.entry.skillName}`);
+      const updated = await applyEntryUpdate(assessment, payload.options, payload.cwd);
+      updatedEntries.push(updated);
+      nextLock = upsertLockEntry(nextLock, updated);
+    }
+    await emitProgress("writing lockfile");
+    writeLockfile(Boolean(payload.options.global), payload.cwd, nextLock, payload.lockFormat);
+    for (const updated of updatedEntries) {
+      const targetDirs = Array.from(
+        new Set(
+          updated.agents.map(
+            (agent) => path14.join(getAgentSkillsDir(agent, updated.global, payload.cwd), updated.skillName)
+          )
+        )
+      );
+      propagateLockfileVisibility({
+        canonicalDir: updated.canonicalDir,
+        targetDirs,
+        lockFormat: payload.lockFormat
+      });
+    }
+    return {
+      updatedSkillNames: ordered.map((assessment) => assessment.entry.skillName)
+    };
+  } finally {
+    for (const assessment of assessed.assessments) {
+      if (assessment.resolved?.cleanup) {
+        assessment.resolved.cleanup();
+      }
+    }
+  }
+}
+async function resolveMigrationSource(options) {
+  const parsedSource = parseSource(options.sourceInput);
+  if (parsedSource.type === "well-known" || parsedSource.type === "catalog") {
+    const remoteSkills = parsedSource.type === "well-known" ? await resolveWellKnownSkills(parsedSource.url, options.addOptions) : await resolveCatalogSkills(parsedSource.url, options.addOptions);
+    const remote = remoteSkills.find((item) => item.installName === options.skillName);
+    if (!remote) {
+      throw new Error(`Skill '${options.skillName}' not found in migration source`);
+    }
+    const staged = buildRemoteSkill(remote);
+    const sourceHash = hashDirectory(staged.skill.path);
+    return {
+      parsedSource,
+      skill: staged.skill,
+      sourceHash,
+      sourceCanonical: canonicalSourceIdentity({
+        parsedSource,
+        wellKnownSourceUrl: remote.sourceUrl
+      }),
+      sourcePinnedRef: sourceHash,
+      wellKnownSourceUrl: remote.sourceUrl,
+      cleanup: staged.cleanup
+    };
+  }
+  const prepared = await prepareSourceDirAsync(
+    parsedSource
+  );
+  try {
+    const skills = await discoverSkillsAsync(prepared.basePath);
+    const skill = skills.find((item) => item.name === options.skillName);
+    if (!skill) {
+      throw new Error(`Skill '${options.skillName}' not found in migration source`);
+    }
+    const sourceHash = sourceHashForInstalledSkill({
+      parsedSource,
+      skillPath: skill.path
+    });
+    const sourcePinnedRef = parsedSource.type === "github" || parsedSource.type === "git" ? await resolveGitHeadRefAsync(prepared.basePath) : void 0;
+    return {
+      parsedSource,
+      skill,
+      sourceSkillPath: path14.relative(prepared.basePath, skill.path) || ".",
+      sourceHash,
+      sourceCanonical: canonicalSourceIdentity({ parsedSource }),
+      sourcePinnedRef,
+      sourceResolvedPath: parsedSource.type === "local" ? resolveSafeRealPath2(skill.path) : void 0,
+      sourceIsSymlink: parsedSource.type === "local" ? isLocalSymlinkSource2(parsedSource.localPath) : void 0,
+      cleanup: prepared.cleanup
+    };
+  } catch (error) {
+    if (prepared.cleanup) {
+      prepared.cleanup();
+    }
+    throw error;
+  }
+}
+async function runUpdateMigrateTask(payload, emitProgress) {
+  await emitProgress("resolving migration source");
+  const lock = readLockfile(Boolean(payload.options.global), payload.cwd);
+  const entry = lock.entries.find((item) => item.skillName === payload.skillName);
+  if (!entry) {
+    throw new Error(`Unknown skill for migration: ${payload.skillName}`);
+  }
+  const source = await resolveMigrationSource({
+    sourceInput: payload.sourceInput,
+    skillName: payload.skillName,
+    addOptions: payload.options
+  });
+  const backupDir = createBackupDir(entry.skillName, entry.canonicalDir);
+  try {
+    await emitProgress(`migrating ${entry.skillName}`);
+    const preparedInstaller = await prepareInstallerArtifacts(source.skill.path, payload.cwd, {
+      sourceType: source.parsedSource.type,
+      policyMode: payload.options.policyMode || "enforce",
+      trustWellKnown: Boolean(payload.options.trustWellKnown)
+    });
+    const outcome = installSkill(source.skill, entry.agents, {
+      mode: entry.installMode,
+      globalInstall: entry.global,
+      cwd: payload.cwd
+    });
+    try {
+      await applyInstallerArtifacts(outcome.canonicalDir, preparedInstaller);
+      await emitProgress("writing lockfile");
+      writeLockEntryAfterInstall({
+        globalInstall: entry.global,
+        cwd: payload.cwd,
+        sourceInput: payload.sourceInput,
+        sourceType: source.parsedSource.type,
+        sourceCanonical: source.sourceCanonical,
+        sourcePinnedRef: source.sourcePinnedRef,
+        sourceResolvedPath: source.sourceResolvedPath,
+        sourceIsSymlink: source.sourceIsSymlink,
+        sourceSkillName: source.skill.name,
+        sourceSkillPath: source.sourceSkillPath,
+        wellKnownSourceUrl: source.wellKnownSourceUrl,
+        sourceHash: source.sourceHash,
+        outcome,
+        mode: entry.installMode,
+        lockFormat: payload.lockFormat
+      });
+    } finally {
+      cleanupPreparedInstallerArtifacts(preparedInstaller);
+    }
+  } catch (error) {
+    const rollbackSkill = {
+      name: entry.skillName,
+      description: `Rollback for ${entry.skillName}`,
+      path: backupDir
+    };
+    installSkill(rollbackSkill, entry.agents, {
+      mode: entry.installMode,
+      globalInstall: entry.global,
+      cwd: payload.cwd
+    });
+    throw error;
+  } finally {
+    fs13.rmSync(path14.dirname(backupDir), { recursive: true, force: true });
+    if (source.cleanup) {
+      source.cleanup();
+    }
+  }
+  return { skillName: entry.skillName };
+}
+async function runListDetectAgentsTask(cwd, options, emitProgress) {
+  await emitProgress("detecting installed agents");
+  const agents = options.agent ? filterInstalledAgents(resolveAgents(options.agent), cwd) : detectInstalledAgents(cwd);
+  return { agents };
+}
+async function runListScanInventoryTask(payload, emitProgress) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const agent of payload.agents) {
+    await emitProgress(`scanning installed skills (${AGENTS[agent].displayName})`);
+    const dir = getAgentSkillsDir(agent, payload.globalInstall, payload.cwd);
+    if (!fs13.existsSync(dir) || !fs13.statSync(dir).isDirectory()) {
+      continue;
+    }
+    for (const entry of fs13.readdirSync(dir, { withFileTypes: true })) {
+      if (!entry.isDirectory() && !entry.isSymbolicLink()) {
+        continue;
+      }
+      const fullPath = path14.join(dir, entry.name);
+      let resolvedPath = fullPath;
+      try {
+        resolvedPath = fs13.realpathSync(fullPath);
+      } catch {
+        resolvedPath = fullPath;
+      }
+      const key = `${entry.name}:${resolvedPath}`;
+      const existing = grouped.get(key);
+      if (existing) {
+        existing.agents.add(AGENTS[agent].displayName);
+      } else {
+        grouped.set(key, {
+          name: entry.name,
+          resolvedPath,
+          agents: /* @__PURE__ */ new Set([AGENTS[agent].displayName])
+        });
+      }
+    }
+  }
+  const rows = Array.from(grouped.values()).map((row) => ({
+    name: row.name,
+    resolvedPath: row.resolvedPath,
+    agents: Array.from(row.agents).sort((a, b) => a.localeCompare(b))
+  })).sort((a, b) => a.name.localeCompare(b.name));
+  return { rows };
+}
+async function resolveAddSourceSkills(sourceInput, options, emitProgress) {
+  const parsed = parseSource(sourceInput);
+  if (parsed.type === "well-known" || parsed.type === "catalog") {
+    await emitProgress("fetching skill index");
+    const remoteSkills = parsed.type === "well-known" ? await resolveWellKnownSkills(parsed.url, options) : await resolveCatalogSkills(parsed.url, options);
+    if (remoteSkills.length === 0) {
+      throw new Error("No skills found at remote endpoint");
+    }
+    return {
+      skills: remoteSkills.map((skill) => ({
+        name: skill.installName,
+        description: skill.description
+      }))
+    };
+  }
+  await emitProgress("loading source");
+  const prepared = await prepareSourceDirAsync(
+    parsed
+  );
+  try {
+    const skills = await discoverSkillsAsync(prepared.basePath);
+    return {
+      skills: skills.map((skill) => ({
+        name: skill.name,
+        description: skill.description
+      }))
+    };
+  } finally {
+    if (prepared.cleanup) {
+      prepared.cleanup();
+    }
+  }
+}
+async function installSelectedAddSkills(payload, emitProgress) {
+  const parsedSource = parseSource(payload.sourceInput);
+  const globalInstall = resolveAddGlobalInstall(payload.options);
+  const mode = resolveAddInstallMode(payload.options);
+  if (parsedSource.type === "well-known" || parsedSource.type === "catalog") {
+    await emitProgress("fetching selected skills");
+    const remoteSkills = parsedSource.type === "well-known" ? await resolveWellKnownSkills(parsedSource.url, payload.options) : await resolveCatalogSkills(parsedSource.url, payload.options);
+    const remoteByName = new Map(remoteSkills.map((remote) => [remote.installName, remote]));
+    const tempCleanups = [];
+    const stagedSelected = [];
+    const sourceHashesBefore = /* @__PURE__ */ new Map();
+    try {
+      for (const skillName of payload.selectedSkillNames) {
+        const remote = remoteByName.get(skillName);
+        if (!remote) {
+          throw new Error(`No matching well-known skills found in source`);
+        }
+        const staged = buildRemoteSkill(remote);
+        tempCleanups.push(staged.cleanup);
+        stagedSelected.push(staged.skill);
+        sourceHashesBefore.set(staged.skill.path, hashDirectory(staged.skill.path));
+      }
+      const missingInstallerSkillDirs = listSkillsMissingInstallerConfig(
+        stagedSelected.map((item) => item.path)
+      );
+      const scaffoldFormat = resolveAddInstallerScaffoldFormat(
+        payload.options,
+        missingInstallerSkillDirs.length
+      );
+      if (scaffoldFormat) {
+        scaffoldInstallerConfigForSkills(missingInstallerSkillDirs, scaffoldFormat);
+      }
+      for (const localSkill of stagedSelected) {
+        const remote = remoteByName.get(localSkill.name);
+        if (!remote) {
+          throw new Error(
+            `Could not resolve remote metadata for selected skill '${localSkill.name}'`
+          );
+        }
+        const sourceHash = sourceHashesBefore.get(localSkill.path) || hashDirectory(localSkill.path);
+        const sourceCanonical = canonicalSourceIdentity({
+          parsedSource,
+          wellKnownSourceUrl: remote.sourceUrl
+        });
+        await emitProgress(`installing ${localSkill.name}`);
+        const preparedInstaller = await prepareInstallerArtifacts(localSkill.path, payload.cwd, {
+          sourceType: parsedSource.type,
+          policyMode: payload.options.policyMode || "enforce",
+          trustWellKnown: Boolean(payload.options.trustWellKnown)
+        });
+        const outcome = installSkill(localSkill, payload.agents, {
+          mode,
+          globalInstall,
+          cwd: payload.cwd
+        });
+        try {
+          await applyInstallerArtifacts(outcome.canonicalDir, preparedInstaller);
+          writeLockEntryAfterInstall({
+            globalInstall,
+            cwd: payload.cwd,
+            sourceInput: payload.sourceInput,
+            sourceType: parsedSource.type,
+            sourceCanonical,
+            sourcePinnedRef: sourceHash,
+            sourceSkillName: remote.installName,
+            sourceHash,
+            wellKnownSourceUrl: remote.sourceUrl,
+            outcome,
+            mode,
+            lockFormat: payload.options.lockFormat
+          });
+        } finally {
+          cleanupPreparedInstallerArtifacts(preparedInstaller);
+        }
+      }
+    } finally {
+      for (const cleanup of tempCleanups) {
+        cleanup();
+      }
+    }
+    return {
+      installedSkillNames: [...payload.selectedSkillNames],
+      agentCount: payload.agents.length
+    };
+  }
+  await emitProgress("loading source");
+  const prepared = await prepareSourceDirAsync(
+    parsedSource
+  );
+  try {
+    const sourceCanonical = canonicalSourceIdentity({ parsedSource });
+    const sourcePinnedRef = parsedSource.type === "github" || parsedSource.type === "git" ? await resolveGitHeadRefAsync(prepared.basePath) : void 0;
+    const sourceIsSymlink = parsedSource.type === "local" ? isLocalSymlinkSource2(parsedSource.localPath) : void 0;
+    const skills = await discoverSkillsAsync(prepared.basePath);
+    const selected = skills.filter((skill) => payload.selectedSkillNames.includes(skill.name));
+    if (selected.length === 0) {
+      throw new Error("No matching skills found in source");
+    }
+    const sourceHashesBefore = new Map(
+      selected.map((skill) => [skill.path, hashDirectory(skill.path)])
+    );
+    const missingInstallerSkillDirs = listSkillsMissingInstallerConfig(
+      selected.map((skill) => skill.path)
+    );
+    const scaffoldFormat = resolveAddInstallerScaffoldFormat(
+      payload.options,
+      missingInstallerSkillDirs.length
+    );
+    if (scaffoldFormat) {
+      scaffoldInstallerConfigForSkills(missingInstallerSkillDirs, scaffoldFormat);
+    }
+    for (const skill of selected) {
+      const sourceResolvedPath = parsedSource.type === "local" ? resolveSafeRealPath2(skill.path) : void 0;
+      await emitProgress(`installing ${skill.name}`);
+      const sourceSkillPath = path14.relative(prepared.basePath, skill.path) || ".";
+      const preparedInstaller = await prepareInstallerArtifacts(skill.path, payload.cwd, {
+        sourceType: parsedSource.type,
+        policyMode: payload.options.policyMode || "enforce",
+        trustWellKnown: Boolean(payload.options.trustWellKnown)
+      });
+      const outcome = installSkill(skill, payload.agents, {
+        mode,
+        globalInstall,
+        cwd: payload.cwd
+      });
+      try {
+        await applyInstallerArtifacts(outcome.canonicalDir, preparedInstaller);
+        writeLockEntryAfterInstall({
+          globalInstall,
+          cwd: payload.cwd,
+          sourceInput: payload.sourceInput,
+          sourceType: parsedSource.type,
+          sourceCanonical,
+          sourcePinnedRef,
+          sourceResolvedPath,
+          sourceIsSymlink,
+          sourceSkillName: skill.name,
+          sourceSkillPath,
+          sourceHash: sourceHashForInstalledSkill({
+            parsedSource,
+            skillPath: skill.path,
+            beforeHash: sourceHashesBefore.get(skill.path)
+          }),
+          outcome,
+          mode,
+          lockFormat: payload.options.lockFormat
+        });
+      } finally {
+        cleanupPreparedInstallerArtifacts(preparedInstaller);
+      }
+    }
+    return {
+      installedSkillNames: selected.map((skill) => skill.name),
+      agentCount: payload.agents.length
+    };
+  } finally {
+    if (prepared.cleanup) {
+      prepared.cleanup();
+    }
+  }
+}
+async function runFindFetchInventoryTask(sourceInput, options, emitProgress) {
+  await emitProgress("parsing source");
+  const parsedSource = parseSource(sourceInput);
+  const sourceLabel = resolveSourceLabel(parsedSource);
+  await emitProgress("fetching skill inventory");
+  if (parsedSource.type === "well-known" || parsedSource.type === "catalog") {
+    if (parsedSource.type === "catalog") {
+      assertExperimentalFeatureEnabled("catalog", Boolean(options.experimental));
+    }
+    const remoteSkills = parsedSource.type === "well-known" ? await resolveWellKnownSkills(parsedSource.url, {
+      allowHost: options.allowHost,
+      denyHost: options.denyHost,
+      maxDownloadBytes: options.maxDownloadBytes,
+      experimental: options.experimental
+    }) : await resolveCatalogSkills(parsedSource.url, {
+      allowHost: options.allowHost,
+      denyHost: options.denyHost,
+      maxDownloadBytes: options.maxDownloadBytes,
+      experimental: options.experimental
+    });
+    return {
+      sourceType: parsedSource.type,
+      sourceLabel,
+      skills: remoteSkills.map((item) => ({
+        name: item.installName,
+        description: item.description
+      }))
+    };
+  }
+  const prepared = await prepareSourceDirAsync(parsedSource);
+  try {
+    const discovered = await discoverSkillsAsync(prepared.basePath);
+    return {
+      sourceType: parsedSource.type,
+      sourceLabel,
+      skills: discovered.map((item) => ({
+        name: item.name,
+        description: item.description
+      }))
+    };
+  } finally {
+    if (prepared.cleanup) {
+      prepared.cleanup();
+    }
+  }
+}
+async function runValidateRunTask(options, emitProgress) {
+  return await runValidateAnalysis(options, emitProgress);
+}
+function runBlockingTask(payload) {
+  const end = Date.now() + payload.durationMs;
+  while (Date.now() < end) {
+    Math.sqrt(Math.random() * Number.MAX_SAFE_INTEGER);
+  }
+  return { durationMs: payload.durationMs };
+}
+async function executeBackgroundTask(request, emitProgress) {
+  switch (request.kind) {
+    case "check.scan":
+      return await runCheckScanTask(request.payload.cwd, request.payload.options, emitProgress);
+    case "update.assess":
+      return await runUpdateAssessTask(request.payload.cwd, request.payload.options, emitProgress);
+    case "update.apply":
+      return await runUpdateApplyTask(request.payload, emitProgress);
+    case "update.migrate":
+      return await runUpdateMigrateTask(request.payload, emitProgress);
+    case "list.detectAgents":
+      return await runListDetectAgentsTask(
+        request.payload.cwd,
+        request.payload.options,
+        emitProgress
+      );
+    case "list.scanInventory":
+      return await runListScanInventoryTask(request.payload, emitProgress);
+    case "add.fetchOrDiscover":
+      return await resolveAddSourceSkills(
+        request.payload.sourceInput,
+        request.payload.options,
+        emitProgress
+      );
+    case "add.install":
+      return await installSelectedAddSkills(request.payload, emitProgress);
+    case "find.fetchInventory":
+      return await runFindFetchInventoryTask(
+        request.payload.sourceInput,
+        request.payload.options,
+        emitProgress
+      );
+    case "validate.run":
+      return await runValidateRunTask(request.payload.options, emitProgress);
+    case "test.blocking":
+      if (request.payload.progressLabel) {
+        await emitProgress(request.payload.progressLabel);
+      }
+      return runBlockingTask(request.payload);
+    default:
+      throw new Error(`Unsupported background task: ${String(request)}`);
+  }
+}
+export {
+  executeBackgroundTask
+};
+//# sourceMappingURL=background-executor.js.map