skilltest 0.4.0 → 0.5.0

package/dist/index.js

@@ -239,6 +239,171 @@ function runCompatibilityChecks(context) {
   return issues;
 }
 
+// src/core/linter/markdown-zones.ts
+function splitLines(raw) {
+  return raw.split(/\r?\n/);
+}
+function stripTopFrontmatter(raw) {
+  const lines = splitLines(raw);
+  if (lines[0] !== "---") {
+    return {
+      bodyLines: lines,
+      bodyStartLine: 1
+    };
+  }
+  for (let index = 1; index < lines.length; index += 1) {
+    if (lines[index] === "---") {
+      return {
+        bodyLines: lines.slice(index + 1),
+        bodyStartLine: index + 2
+      };
+    }
+  }
+  return {
+    bodyLines: lines,
+    bodyStartLine: 1
+  };
+}
+function matchCodeFenceOpener(line) {
+  const match = line.match(/^\s*(`{3,}|~{3,})(.*)$/);
+  return match?.[1] ?? null;
+}
+function isExactCodeFenceCloser(line, delimiter) {
+  return line.trim() === delimiter;
+}
+function appendZone(zones, type, content, startLine, endLine) {
+  if (content === "") {
+    return;
+  }
+  const previous = zones[zones.length - 1];
+  if (previous && previous.type === type && startLine <= previous.endLine + 1) {
+    const separator = startLine > previous.endLine ? "\n" : "";
+    previous.content += `${separator}${content}`;
+    previous.endLine = endLine;
+    return;
+  }
+  zones.push({
+    type,
+    content,
+    startLine,
+    endLine
+  });
+}
+function appendToOpenZone(zone, content, lineNumber) {
+  if (content === "") {
+    if (lineNumber > zone.endLine) {
+      zone.content += "\n";
+      zone.endLine = lineNumber;
+    }
+    return;
+  }
+  const separator = lineNumber > zone.endLine ? "\n" : "";
+  zone.content += `${separator}${content}`;
+  zone.endLine = lineNumber;
+}
+function addInlineAwareText(zones, text, lineNumber, baseType) {
+  if (text === "") {
+    return;
+  }
+  let cursor = 0;
+  while (cursor < text.length) {
+    const inlineStart = text.indexOf("`", cursor);
+    if (inlineStart === -1) {
+      appendZone(zones, baseType, text.slice(cursor), lineNumber, lineNumber);
+      return;
+    }
+    if (inlineStart > cursor) {
+      appendZone(zones, baseType, text.slice(cursor, inlineStart), lineNumber, lineNumber);
+    }
+    const inlineEnd = text.indexOf("`", inlineStart + 1);
+    if (inlineEnd === -1) {
+      appendZone(zones, baseType, text.slice(inlineStart), lineNumber, lineNumber);
+      return;
+    }
+    appendZone(zones, "inline-code", text.slice(inlineStart, inlineEnd + 1), lineNumber, lineNumber);
+    cursor = inlineEnd + 1;
+  }
+}
+function parseZones(raw) {
+  const { bodyLines, bodyStartLine } = stripTopFrontmatter(raw);
+  const zones = [];
+  let openCodeFence = null;
+  let openComment = null;
+  for (const [index, line] of bodyLines.entries()) {
+    const lineNumber = bodyStartLine + index;
+    if (openCodeFence) {
+      appendToOpenZone(openCodeFence.zone, line, lineNumber);
+      if (isExactCodeFenceCloser(line, openCodeFence.delimiter)) {
+        zones.push(openCodeFence.zone);
+        openCodeFence = null;
+      }
+      continue;
+    }
+    if (!openComment) {
+      const fenceDelimiter = matchCodeFenceOpener(line);
+      if (fenceDelimiter) {
+        openCodeFence = {
+          delimiter: fenceDelimiter,
+          zone: {
+            type: "code-fence",
+            content: line,
+            startLine: lineNumber,
+            endLine: lineNumber
+          }
+        };
+        continue;
+      }
+    }
+    const baseType = /^\s*>/.test(line) ? "blockquote" : "prose";
+    let cursor = 0;
+    while (cursor < line.length || openComment) {
+      if (openComment) {
+        const closeIndex = line.indexOf("-->", cursor);
+        if (closeIndex === -1) {
+          appendToOpenZone(openComment, line.slice(cursor), lineNumber);
+          cursor = line.length;
+          break;
+        }
+        appendToOpenZone(openComment, line.slice(cursor, closeIndex + 3), lineNumber);
+        zones.push(openComment);
+        openComment = null;
+        cursor = closeIndex + 3;
+        continue;
+      }
+      if (cursor >= line.length) {
+        break;
+      }
+      const commentStart = line.indexOf("<!--", cursor);
+      const textEnd = commentStart === -1 ? line.length : commentStart;
+      if (textEnd > cursor) {
+        addInlineAwareText(zones, line.slice(cursor, textEnd), lineNumber, baseType);
+      }
+      if (commentStart === -1) {
+        break;
+      }
+      const commentEnd = line.indexOf("-->", commentStart + 4);
+      if (commentEnd === -1) {
+        openComment = {
+          type: "html-comment",
+          content: line.slice(commentStart),
+          startLine: lineNumber,
+          endLine: lineNumber
+        };
+        break;
+      }
+      appendZone(zones, "html-comment", line.slice(commentStart, commentEnd + 3), lineNumber, lineNumber);
+      cursor = commentEnd + 3;
+    }
+  }
+  if (openComment) {
+    zones.push(openComment);
+  }
+  if (openCodeFence) {
+    zones.push(openCodeFence.zone);
+  }
+  return zones;
+}
+
 // src/core/linter/content.ts
 var VAGUE_PATTERNS = [
   /\bdo something appropriate\b/i,
@@ -255,6 +420,102 @@ var SECRET_PATTERNS = [
   { label: "Slack token", regex: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/ },
   { label: "Generic private key header", regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/ }
 ];
+function summarizeLineRange(matches) {
+  if (matches.length === 0) {
+    return {};
+  }
+  return {
+    startLine: Math.min(...matches.map((match) => match.startLine)),
+    endLine: Math.max(...matches.map((match) => match.endLine))
+  };
+}
+function uniqueLabels(matches) {
+  const labels = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const match of matches) {
+    if (seen.has(match.label)) {
+      continue;
+    }
+    seen.add(match.label);
+    labels.push(match.label);
+  }
+  return labels;
+}
+function collectSecretMatches(zones) {
+  const prose = [];
+  const nonProse = [];
+  for (const zone of zones) {
+    for (const pattern of SECRET_PATTERNS) {
+      if (!pattern.regex.test(zone.content)) {
+        continue;
+      }
+      const occurrence = {
+        label: pattern.label,
+        zoneType: zone.type,
+        startLine: zone.startLine,
+        endLine: zone.endLine
+      };
+      if (zone.type === "prose") {
+        prose.push(occurrence);
+      } else {
+        nonProse.push(occurrence);
+      }
+    }
+  }
+  return { prose, nonProse };
+}
+function buildSkippedPatterns(matches) {
+  if (matches.length === 0) {
+    return void 0;
+  }
+  return matches.map((match) => ({
+    label: match.label,
+    zoneType: match.zoneType,
+    startLine: match.startLine,
+    endLine: match.endLine
+  }));
+}
+function buildSecretsIssue(context) {
+  if (context.suppressedCheckIds.has("content:secrets")) {
+    return null;
+  }
+  const { prose, nonProse } = collectSecretMatches(parseZones(context.skill.raw));
+  const proseLabels = uniqueLabels(prose);
+  const nonProseLabels = uniqueLabels(nonProse);
+  const skippedPatterns = buildSkippedPatterns(nonProse);
+  if (proseLabels.length > 0) {
+    return {
+      id: "content.secrets",
+      checkId: "content:secrets",
+      title: "Hardcoded Secrets",
+      status: "fail",
+      message: `Potential secrets detected (${proseLabels.join(", ")}).`,
+      suggestion: "Remove secrets from skill files and use environment variables or secret managers.",
+      ...summarizeLineRange(prose),
+      skippedPatterns
+    };
+  }
+  if (nonProseLabels.length > 0) {
+    const codeFenceOnly = nonProse.every((match) => match.zoneType === "code-fence");
+    return {
+      id: "content.secrets",
+      checkId: "content:secrets",
+      title: "Hardcoded Secrets",
+      status: "warn",
+      message: codeFenceOnly ? `Possible secret in code example \u2014 verify this is a placeholder, not a real key (${nonProseLabels.join(", ")}).` : `Possible secrets found outside prose instructions (${nonProseLabels.join(", ")}). Verify these are placeholders, not real credentials.`,
+      suggestion: "Replace real-looking credentials in examples with explicit placeholders such as YOUR_API_KEY.",
+      ...summarizeLineRange(nonProse),
+      skippedPatterns
+    };
+  }
+  return {
+    id: "content.secrets",
+    checkId: "content:secrets",
+    title: "Hardcoded Secrets",
+    status: "pass",
+    message: "No obvious API keys or secrets patterns were detected."
+  };
+}
 function runContentChecks(context) {
   const issues = [];
   const body = context.frontmatter.content;
@@ -334,29 +595,9 @@ function runContentChecks(context) {
       message: "No angle bracket tokens detected in frontmatter."
     });
   }
-  const secretHits = /* @__PURE__ */ new Set();
-  for (const pattern of SECRET_PATTERNS) {
-    if (pattern.regex.test(context.skill.raw)) {
-      secretHits.add(pattern.label);
-    }
-  }
-  if (secretHits.size > 0) {
-    issues.push({
-      id: "content.secrets",
-      checkId: "content:secrets",
-      title: "Hardcoded Secrets",
-      status: "fail",
-      message: `Potential secrets detected (${Array.from(secretHits).join(", ")}).`,
-      suggestion: "Remove secrets from skill files and use environment variables or secret managers."
-    });
-  } else {
-    issues.push({
-      id: "content.secrets",
-      checkId: "content:secrets",
-      title: "Hardcoded Secrets",
-      status: "pass",
-      message: "No obvious API keys or secrets patterns were detected."
-    });
+  const secretsIssue = buildSecretsIssue(context);
+  if (secretsIssue) {
+    issues.push(secretsIssue);
   }
   if (bodyLines.length < 10) {
     issues.push({
@@ -776,93 +1017,159 @@ var SHELL_ACTIVITY_PATTERNS = [
   /\b(?:npm|pnpm|yarn|pip|git|docker|kubectl)\s+[A-Za-z0-9-]/i
 ];
 var SAFETY_GUARDRAIL_PATTERN = /\b(?:ask before|confirm|approval|dry[- ]run|sandbox|least privilege|redact|never expose|do not reveal)\b/i;
-function collectMatches(content, patterns) {
-  const matches = [];
-  for (const pattern of patterns) {
-    if (pattern.regex.test(content)) {
-      matches.push(pattern.label);
+function buildOccurrence(zone, pattern) {
+  return {
+    label: pattern.label,
+    zoneType: zone.type,
+    startLine: zone.startLine,
+    endLine: zone.endLine
+  };
+}
+function collectZoneAwareMatches(zones, patterns) {
+  const flagged = [];
+  const skipped = [];
+  for (const zone of zones) {
+    for (const pattern of patterns) {
+      if (!pattern.regex.test(zone.content)) {
+        continue;
+      }
+      const occurrence = buildOccurrence(zone, pattern);
+      if (zone.type === "prose") {
+        flagged.push(occurrence);
+      } else {
+        skipped.push(occurrence);
+      }
     }
   }
-  return matches;
+  return { flagged, skipped };
+}
+function uniqueLabels2(matches) {
+  const labels = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const match of matches) {
+    if (seen.has(match.label)) {
+      continue;
+    }
+    seen.add(match.label);
+    labels.push(match.label);
+  }
+  return labels;
+}
+function summarizeLineRange2(matches) {
+  if (matches.length === 0) {
+    return {};
+  }
+  return {
+    startLine: Math.min(...matches.map((match) => match.startLine)),
+    endLine: Math.max(...matches.map((match) => match.endLine))
+  };
+}
+function buildSkippedPatterns2(matches) {
+  if (matches.length === 0) {
+    return void 0;
+  }
+  return matches.map((match) => ({
+    label: match.label,
+    zoneType: match.zoneType,
+    startLine: match.startLine,
+    endLine: match.endLine
+  }));
+}
+function isSuppressed(context, checkId) {
+  return context.suppressedCheckIds.has(checkId);
+}
+function runZoneAwareSecurityCheck(context, zones, options) {
+  if (isSuppressed(context, options.checkId)) {
+    return null;
+  }
+  const matches = collectZoneAwareMatches(zones, options.patterns);
+  const labels = uniqueLabels2(matches.flagged);
+  const skippedPatterns = buildSkippedPatterns2(matches.skipped);
+  if (labels.length > 0) {
+    return {
+      id: options.id,
+      checkId: options.checkId,
+      title: options.title,
+      status: options.statusOnMatch,
+      message: `${options.matchMessagePrefix}: ${labels.join(", ")}.`,
+      suggestion: options.suggestion,
+      ...summarizeLineRange2(matches.flagged),
+      skippedPatterns
+    };
+  }
+  return {
+    id: options.id,
+    checkId: options.checkId,
+    title: options.title,
+    status: "pass",
+    message: options.passMessage,
+    skippedPatterns
+  };
 }
 function runSecurityChecks(context) {
   const issues = [];
   const skillText = context.skill.raw;
-  const dangerousCommandHits = collectMatches(skillText, DANGEROUS_COMMAND_PATTERNS);
-  if (dangerousCommandHits.length > 0) {
-    issues.push({
-      id: "security.dangerous-command-patterns",
-      checkId: "security:dangerous-commands",
-      title: "Dangerous Command Patterns",
-      status: "fail",
-      message: `Potentially dangerous command instruction patterns found: ${dangerousCommandHits.join(", ")}.`,
-      suggestion: "Remove destructive/pipe-exec command examples or wrap them with explicit safety constraints."
-    });
-  } else {
-    issues.push({
-      id: "security.dangerous-command-patterns",
-      checkId: "security:dangerous-commands",
-      title: "Dangerous Command Patterns",
-      status: "pass",
-      message: "No high-risk destructive or direct pipe-to-shell patterns detected."
-    });
-  }
-  const exfiltrationHits = collectMatches(skillText, EXFILTRATION_PATTERNS);
-  if (exfiltrationHits.length > 0) {
-    issues.push({
-      id: "security.exfiltration-patterns",
-      checkId: "security:exfiltration",
-      title: "Sensitive Data Exfiltration",
-      status: "fail",
-      message: `Possible sensitive data exfiltration patterns found: ${exfiltrationHits.join(", ")}.`,
-      suggestion: "Remove instructions that access or transmit secrets/credential files."
-    });
-  } else {
-    issues.push({
-      id: "security.exfiltration-patterns",
-      checkId: "security:exfiltration",
-      title: "Sensitive Data Exfiltration",
-      status: "pass",
-      message: "No obvious credential access/exfiltration instructions detected."
-    });
-  }
-  const escalationHits = collectMatches(skillText, PRIVILEGE_ESCALATION_PATTERNS);
-  if (escalationHits.length > 0) {
-    issues.push({
-      id: "security.privilege-escalation",
-      checkId: "security:privilege-escalation",
-      title: "Privilege Escalation Language",
-      status: "warn",
-      message: `Potentially risky privilege/execution language detected: ${escalationHits.join(", ")}.`,
-      suggestion: "Prefer least-privilege execution and explicit approval steps for elevated commands."
-    });
-  } else {
-    issues.push({
-      id: "security.privilege-escalation",
-      checkId: "security:privilege-escalation",
-      title: "Privilege Escalation Language",
-      status: "pass",
-      message: "No obvious privilege-escalation language detected."
-    });
+  const needsZoneParsing = !isSuppressed(context, "security:dangerous-commands") || !isSuppressed(context, "security:exfiltration") || !isSuppressed(context, "security:privilege-escalation");
+  const zones = needsZoneParsing ? parseZones(skillText) : [];
+  const dangerousCommandsIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.dangerous-command-patterns",
+    checkId: "security:dangerous-commands",
+    title: "Dangerous Command Patterns",
+    statusOnMatch: "fail",
+    patterns: DANGEROUS_COMMAND_PATTERNS,
+    matchMessagePrefix: "Potentially dangerous command instruction patterns found",
+    passMessage: "No high-risk destructive or direct pipe-to-shell patterns detected.",
+    suggestion: "Remove destructive/pipe-exec command examples or wrap them with explicit safety constraints."
+  });
+  if (dangerousCommandsIssue) {
+    issues.push(dangerousCommandsIssue);
+  }
+  const exfiltrationIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.exfiltration-patterns",
+    checkId: "security:exfiltration",
+    title: "Sensitive Data Exfiltration",
+    statusOnMatch: "fail",
+    patterns: EXFILTRATION_PATTERNS,
+    matchMessagePrefix: "Possible sensitive data exfiltration patterns found",
+    passMessage: "No obvious credential access/exfiltration instructions detected.",
+    suggestion: "Remove instructions that access or transmit secrets/credential files."
+  });
+  if (exfiltrationIssue) {
+    issues.push(exfiltrationIssue);
+  }
+  const privilegeEscalationIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.privilege-escalation",
+    checkId: "security:privilege-escalation",
+    title: "Privilege Escalation Language",
+    statusOnMatch: "warn",
+    patterns: PRIVILEGE_ESCALATION_PATTERNS,
+    matchMessagePrefix: "Potentially risky privilege/execution language detected",
+    passMessage: "No obvious privilege-escalation language detected.",
+    suggestion: "Prefer least-privilege execution and explicit approval steps for elevated commands."
+  });
+  if (privilegeEscalationIssue) {
+    issues.push(privilegeEscalationIssue);
   }
-  const hasShellActivity = SHELL_ACTIVITY_PATTERNS.some((pattern) => pattern.test(skillText));
-  if (hasShellActivity && !SAFETY_GUARDRAIL_PATTERN.test(skillText)) {
-    issues.push({
-      id: "security.safety-guardrails",
-      checkId: "security:missing-guardrails",
-      title: "Execution Safety Guardrails",
-      status: "warn",
-      message: "Shell/tool execution is present, but no explicit safety guardrails were detected.",
-      suggestion: "Add guidance such as approval requirements, dry-run mode, scope checks, and redaction rules."
-    });
-  } else {
-    issues.push({
-      id: "security.safety-guardrails",
-      checkId: "security:missing-guardrails",
-      title: "Execution Safety Guardrails",
-      status: "pass",
-      message: hasShellActivity ? "Shell/tool execution instructions include at least one safety guardrail." : "No shell/tool execution instructions detected."
-    });
+  if (!isSuppressed(context, "security:missing-guardrails")) {
+    const hasShellActivity = SHELL_ACTIVITY_PATTERNS.some((pattern) => pattern.test(skillText));
+    if (hasShellActivity && !SAFETY_GUARDRAIL_PATTERN.test(skillText)) {
+      issues.push({
+        id: "security.safety-guardrails",
+        checkId: "security:missing-guardrails",
+        title: "Execution Safety Guardrails",
+        status: "warn",
+        message: "Shell/tool execution is present, but no explicit safety guardrails were detected.",
+        suggestion: "Add guidance such as approval requirements, dry-run mode, scope checks, and redaction rules."
+      });
+    } else {
+      issues.push({
+        id: "security.safety-guardrails",
+        checkId: "security:missing-guardrails",
+        title: "Execution Safety Guardrails",
+        status: "pass",
+        message: hasShellActivity ? "Shell/tool execution instructions include at least one safety guardrail." : "No shell/tool execution instructions detected."
+      });
+    }
   }
   return issues;
 }
@@ -1038,9 +1345,11 @@ function lintFails(report, failOn) {
 async function runLinter(inputPath, options = {}) {
   const skill = await loadSkillFile(inputPath);
   const frontmatter = parseFrontmatter(skill.raw);
+  const suppressedCheckIds = new Set(options.suppress ?? []);
   const context = {
     skill,
-    frontmatter
+    frontmatter,
+    suppressedCheckIds
   };
   const issues = [];
   issues.push(...runFrontmatterChecks(context));
@@ -1049,8 +1358,7 @@ async function runLinter(inputPath, options = {}) {
   issues.push(...runSecurityChecks(context));
   issues.push(...await runDisclosureChecks(context));
   issues.push(...runCompatibilityChecks(context));
-  const suppress = new Set(options.suppress ?? []);
-  const filteredIssues = issues.filter((issue) => !suppress.has(issue.checkId));
+  const filteredIssues = issues.filter((issue) => !suppressedCheckIds.has(issue.checkId));
   return {
     target: inputPath,
     issues: filteredIssues,
@@ -1070,6 +1378,14 @@ function renderIssueLine(issue, c) {
   return `  ${label} ${issue.title}
       ${issue.message}${detail}`;
 }
+function countSkippedSecurityPatterns(issues) {
+  return issues.reduce((total, issue) => {
+    if (!issue.checkId.startsWith("security:")) {
+      return total;
+    }
+    return total + (issue.skippedPatterns?.length ?? 0);
+  }, 0);
+}
 function renderLintReport(report, enableColor) {
   const c = getChalkInstance(enableColor);
   const { passed, warnings, failures, total } = report.summary;
@@ -1082,8 +1398,11 @@ function renderLintReport(report, enableColor) {
     `\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518`
   ];
   const renderedIssues = report.issues.map((issue) => renderIssueLine(issue, c)).join("\n");
+  const skippedSecurityPatterns = countSkippedSecurityPatterns(report.issues);
+  const infoLine = skippedSecurityPatterns > 0 ? `
+  ${c.cyan("\u2139")} ${skippedSecurityPatterns} security pattern(s) found in code examples/comments (not flagged)` : "";
   return `${headerLines.join("\n")}
-${renderedIssues}`;
+${renderedIssues}${infoLine}`;
 }
 function formatPercent(value) {
   return `${(value * 100).toFixed(1)}%`;
@@ -1171,6 +1490,10 @@ function renderCheckReport(result, enableColor, verbose) {
   for (const issue of lintIssues) {
     lines.push(renderIssueLine(issue, c));
   }
+  const skippedSecurityPatterns = countSkippedSecurityPatterns(result.lint.issues);
+  if (skippedSecurityPatterns > 0) {
+    lines.push(`  ${c.cyan("\u2139")} ${skippedSecurityPatterns} security pattern(s) found in code examples/comments (not flagged)`);
+  }
   lines.push("");
   lines.push("Trigger");
   if (result.trigger) {
@@ -1401,23 +1724,28 @@ var FAKE_SKILLS = [
   { name: "test-generator", description: "Generates unit and integration test cases from feature requirements." },
   { name: "prompt-tuner", description: "Improves prompts for reliability, formatting, and failure handling." }
 ];
-function createSeededRandom(seed) {
-  let state = seed >>> 0;
+function mulberry32(seed) {
   return () => {
-    state = state * 1664525 + 1013904223 >>> 0;
-    return state / 4294967296;
+    seed |= 0;
+    seed = seed + 1831565813 | 0;
+    let t = Math.imul(seed ^ seed >>> 15, 1 | seed);
+    t = t + Math.imul(t ^ t >>> 7, 61 | t) ^ t;
+    return ((t ^ t >>> 14) >>> 0) / 4294967296;
   };
 }
-function shuffle(values, random = Math.random) {
+function createRng(seed) {
+  return seed !== void 0 ? mulberry32(seed) : Math.random;
+}
+function shuffle(values, rng) {
   const copy = [...values];
   for (let index = copy.length - 1; index > 0; index -= 1) {
-    const swapIndex = Math.floor(random() * (index + 1));
+    const swapIndex = Math.floor(rng() * (index + 1));
     [copy[index], copy[swapIndex]] = [copy[swapIndex], copy[index]];
   }
   return copy;
 }
-function sample(values, count, random = Math.random) {
-  return shuffle(values, random).slice(0, Math.max(0, Math.min(count, values.length)));
+function sample(values, count, rng) {
+  return shuffle(values, rng).slice(0, Math.max(0, Math.min(count, values.length)));
 }
 function parseJsonArrayFromModelOutput(raw) {
   const trimmed = raw.trim();
@@ -1529,20 +1857,20 @@ function buildSuggestions(metrics) {
   return suggestions;
 }
 async function runTriggerTest(skill, options) {
-  const random = options.seed === void 0 ? Math.random : createSeededRandom(options.seed);
+  const rng = createRng(options.seed);
   const queries = options.queries && options.queries.length > 0 ? triggerQueryArraySchema.parse(options.queries) : await generateQueriesWithModel(skill, options.provider, options.model, options.numQueries);
   const results = [];
   const skillName = skill.frontmatter.name;
   for (const testQuery of queries) {
-    const fakeCount = 5 + Math.floor(random() * 4);
-    const fakeSkills = sample(FAKE_SKILLS, fakeCount, random);
+    const fakeCount = 5 + Math.floor(rng() * 5);
+    const fakeSkills = sample(FAKE_SKILLS, fakeCount, rng);
     const allSkills = shuffle([
       ...fakeSkills,
       {
         name: skill.frontmatter.name,
         description: skill.frontmatter.description
       }
-    ], random);
+    ], rng);
     const skillListText = allSkills.map((entry) => `- ${entry.name}: ${entry.description}`).join("\n");
     const systemPrompt = [
       "You are selecting one skill to activate for a user query.",
@@ -1571,6 +1899,7 @@ async function runTriggerTest(skill, options) {
     skillName,
     model: options.model,
     provider: options.provider.name,
+    seed: options.seed,
     queries,
     cases: results,
     metrics,
@@ -2221,6 +2550,7 @@ function createProvider(providerName, apiKeyOverride) {
 var triggerCliSchema = z7.object({
   queries: z7.string().optional(),
   saveQueries: z7.string().optional(),
+  seed: z7.number().int().optional(),
   verbose: z7.boolean().optional(),
   apiKey: z7.string().optional()
 });
@@ -2232,6 +2562,13 @@ function resolveModel(provider, model) {
   }
   return model;
 }
+function renderTriggerOutputWithSeed(output, seed) {
+  if (seed === void 0) {
+    return output;
+  }
+  return `${output}
+Seed: ${seed}`;
+}
 async function handleTriggerCommand(targetPath, options) {
   const spinner = options.json || !process.stdout.isTTY ? null : ora("Preparing trigger evaluation...").start();
   try {
@@ -2269,7 +2606,7 @@ async function handleTriggerCommand(targetPath, options) {
     if (options.json) {
       writeResult(result, true);
     } else {
-      writeResult(renderTriggerReport(result, options.color, options.verbose), false);
+      writeResult(renderTriggerOutputWithSeed(renderTriggerReport(result, options.color, options.verbose), result.seed), false);
     }
   } catch (error) {
     spinner?.stop();
@@ -2278,7 +2615,7 @@ async function handleTriggerCommand(targetPath, options) {
   }
 }
 function registerTriggerCommand(program) {
-  program.command("trigger").description("Evaluate whether a skill description triggers correctly.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--model <model>", "Model to use").option("--provider <provider>", "LLM provider: anthropic|openai").option("--queries <path>", "Path to custom test queries JSON").option("--num-queries <n>", "Number of auto-generated queries", (value) => Number.parseInt(value, 10)).option("--save-queries <path>", "Save generated queries to a JSON file").option("--api-key <key>", "API key override").option("--verbose", "Show full model decisions").action(async (targetPath, _commandOptions, command) => {
+  program.command("trigger").description("Evaluate whether a skill description triggers correctly.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--model <model>", "Model to use").option("--provider <provider>", "LLM provider: anthropic|openai").option("--queries <path>", "Path to custom test queries JSON").option("--num-queries <n>", "Number of auto-generated queries", (value) => Number.parseInt(value, 10)).option("--seed <number>", "RNG seed for reproducible results", (value) => Number.parseInt(value, 10)).option("--save-queries <path>", "Save generated queries to a JSON file").option("--api-key <key>", "API key override").option("--verbose", "Show full model decisions").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
     const parsedCli = triggerCliSchema.safeParse(command.opts());
@@ -2294,7 +2631,7 @@ function registerTriggerCommand(program) {
       queries: parsedCli.data.queries,
       numQueries: config.trigger.numQueries,
       saveQueries: parsedCli.data.saveQueries,
-      seed: config.trigger.seed,
+      seed: parsedCli.data.seed ?? config.trigger.seed,
       verbose: Boolean(parsedCli.data.verbose),
       apiKey: parsedCli.data.apiKey
     });
@@ -2482,6 +2819,7 @@ var checkCliSchema = z9.object({
   graderModel: z9.string().optional(),
   apiKey: z9.string().optional(),
   queries: z9.string().optional(),
+  seed: z9.number().int().optional(),
   prompts: z9.string().optional(),
   saveResults: z9.string().optional(),
   continueOnLintFail: z9.boolean().optional(),
@@ -2495,6 +2833,19 @@ function resolveModel3(provider, model) {
   }
   return model;
 }
+function renderCheckOutputWithSeed(output, seed) {
+  if (seed === void 0) {
+    return output;
+  }
+  const lines = output.split("\n");
+  const triggerIndex = lines.indexOf("Trigger");
+  if (triggerIndex === -1) {
+    return `${output}
+Seed: ${seed}`;
+  }
+  lines.splice(triggerIndex + 1, 0, `Seed: ${seed}`);
+  return lines.join("\n");
+}
 async function handleCheckCommand(targetPath, options, command) {
   const spinner = options.json || !process.stdout.isTTY ? null : ora3("Preparing check run...").start();
   try {
@@ -2557,7 +2908,10 @@ async function handleCheckCommand(targetPath, options, command) {
     if (options.json) {
       writeResult(result, true);
     } else {
-      writeResult(renderCheckReport(result, options.color, options.verbose), false);
+      writeResult(
+        renderCheckOutputWithSeed(renderCheckReport(result, options.color, options.verbose), result.trigger?.seed),
+        false
+      );
     }
     process.exitCode = result.gates.overallPassed ? 0 : 1;
   } catch (error) {
@@ -2567,7 +2921,7 @@ async function handleCheckCommand(targetPath, options, command) {
   }
 }
 function registerCheckCommand(program) {
-  program.command("check").description("Run lint + trigger + eval with threshold-based quality gates.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--provider <provider>", "LLM provider: anthropic|openai").option("--model <model>", "Model for trigger/eval runs").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--api-key <key>", "API key override").option("--queries <path>", "Path to custom trigger queries JSON").option("--num-queries <n>", "Number of auto-generated trigger queries", (value) => Number.parseInt(value, 10)).option("--prompts <path>", "Path to eval prompts JSON").option("--min-f1 <n>", "Minimum required trigger F1 score (0-1)", (value) => Number.parseFloat(value)).option("--min-assert-pass-rate <n>", "Minimum required eval assertion pass rate (0-1)", (value) => Number.parseFloat(value)).option("--save-results <path>", "Save combined check results to JSON").option("--continue-on-lint-fail", "Continue trigger/eval stages even when lint has failures").option("--verbose", "Show detailed trigger/eval output sections").action(async (targetPath, _commandOptions, command) => {
+  program.command("check").description("Run lint + trigger + eval with threshold-based quality gates.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--provider <provider>", "LLM provider: anthropic|openai").option("--model <model>", "Model for trigger/eval runs").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--api-key <key>", "API key override").option("--queries <path>", "Path to custom trigger queries JSON").option("--num-queries <n>", "Number of auto-generated trigger queries", (value) => Number.parseInt(value, 10)).option("--seed <number>", "RNG seed for reproducible results", (value) => Number.parseInt(value, 10)).option("--prompts <path>", "Path to eval prompts JSON").option("--min-f1 <n>", "Minimum required trigger F1 score (0-1)", (value) => Number.parseFloat(value)).option("--min-assert-pass-rate <n>", "Minimum required eval assertion pass rate (0-1)", (value) => Number.parseFloat(value)).option("--save-results <path>", "Save combined check results to JSON").option("--continue-on-lint-fail", "Continue trigger/eval stages even when lint has failures").option("--verbose", "Show detailed trigger/eval output sections").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
     const parsedCli = checkCliSchema.safeParse(command.opts());
@@ -2592,7 +2946,7 @@ function registerCheckCommand(program) {
         numRuns: config.eval.numRuns,
         lintFailOn: config.lint.failOn,
         lintSuppress: config.lint.suppress,
-        triggerSeed: config.trigger.seed,
+        triggerSeed: parsedCli.data.seed ?? config.trigger.seed,
         saveResults: parsedCli.data.saveResults,
         continueOnLintFail: Boolean(parsedCli.data.continueOnLintFail),
         verbose: Boolean(parsedCli.data.verbose)