teamcopilot 0.1.15 → 0.2.0

package/dist/utils/secret-contract-validation.js

@@ -0,0 +1,184 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractReferencedWorkflowSecrets = extractReferencedWorkflowSecrets;
+exports.extractReferencedSkillSecrets = extractReferencedSkillSecrets;
+exports.parseWorkflowRequiredSecrets = parseWorkflowRequiredSecrets;
+exports.parseSkillRequiredSecrets = parseSkillRequiredSecrets;
+exports.validateWorkflowSecretContract = validateWorkflowSecretContract;
+exports.validateSkillSecretContract = validateSkillSecretContract;
+exports.validateWorkflowFilesAtPath = validateWorkflowFilesAtPath;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const secrets_1 = require("./secrets");
+const PYTHON_SECRET_PATTERNS = [
+    /os\.environ\[\s*["']([A-Za-z_][A-Za-z0-9_]*)["']\s*\]/g,
+    /os\.getenv\(\s*["']([A-Za-z_][A-Za-z0-9_]*)["']\s*[\),]/g,
+    /environ\.get\(\s*["']([A-Za-z_][A-Za-z0-9_]*)["']\s*[\),]/g,
+];
+const SKILL_SECRET_PLACEHOLDER_PATTERN = /\{\{SECRET:([A-Z][A-Z0-9_]*)\}\}/g;
+function findDuplicateKeys(rawKeys) {
+    const seen = new Set();
+    const duplicates = new Set();
+    for (const rawKey of rawKeys) {
+        if (typeof rawKey !== "string") {
+            continue;
+        }
+        const normalized = rawKey.trim().toUpperCase();
+        if (!normalized) {
+            continue;
+        }
+        if (seen.has(normalized)) {
+            duplicates.add(normalized);
+            continue;
+        }
+        seen.add(normalized);
+    }
+    return Array.from(duplicates).sort();
+}
+function assertNoDuplicateSecretKeys(rawKeys, context) {
+    const duplicates = findDuplicateKeys(rawKeys);
+    if (duplicates.length > 0) {
+        throw {
+            status: 400,
+            message: `${context} contains duplicate required secret keys: ${duplicates.join(", ")}`
+        };
+    }
+}
+function extractReferencedWorkflowSecrets(runPyContent) {
+    const found = new Set();
+    for (const pattern of PYTHON_SECRET_PATTERNS) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(runPyContent)) !== null) {
+            found.add(match[1].trim().toUpperCase());
+        }
+    }
+    return Array.from(found).sort();
+}
+function extractReferencedSkillSecrets(skillMarkdownContent) {
+    const found = new Set();
+    let match;
+    SKILL_SECRET_PLACEHOLDER_PATTERN.lastIndex = 0;
+    while ((match = SKILL_SECRET_PLACEHOLDER_PATTERN.exec(skillMarkdownContent)) !== null) {
+        found.add(match[1]);
+    }
+    return Array.from(found).sort();
+}
+function parseWorkflowRequiredSecrets(workflowJsonContent) {
+    let parsed = null;
+    try {
+        parsed = JSON.parse(workflowJsonContent);
+    }
+    catch {
+        throw {
+            status: 400,
+            message: "workflow.json must contain valid JSON"
+        };
+    }
+    const rawKeys = Array.isArray(parsed?.required_secrets) ? parsed.required_secrets : [];
+    assertNoDuplicateSecretKeys(rawKeys, "workflow.json required_secrets");
+    return (0, secrets_1.assertValidSecretKeyList)(rawKeys.filter((item) => typeof item === "string"), "workflow.json required_secrets");
+}
+function extractSkillFrontmatterBlock(skillMarkdownContent) {
+    const frontmatterMatch = skillMarkdownContent.match(/^---\s*\n([\s\S]*?)\n---\s*/);
+    return frontmatterMatch?.[1] ?? "";
+}
+function extractFrontmatterRequiredSecrets(frontmatter) {
+    const lines = frontmatter.split("\n");
+    for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index] ?? "";
+        const match = line.match(/^required_secrets\s*:\s*(.*)$/);
+        if (!match) {
+            continue;
+        }
+        const rawValue = match[1]?.trim() ?? "";
+        if (rawValue.startsWith("[")) {
+            let parsed;
+            try {
+                parsed = JSON.parse(rawValue.replace(/'/g, "\""));
+            }
+            catch {
+                throw {
+                    status: 400,
+                    message: "SKILL.md frontmatter required_secrets must be a valid string array"
+                };
+            }
+            if (!Array.isArray(parsed) || !parsed.every((item) => typeof item === "string")) {
+                throw {
+                    status: 400,
+                    message: "SKILL.md frontmatter required_secrets must contain only strings"
+                };
+            }
+            assertNoDuplicateSecretKeys(parsed, "SKILL.md required_secrets");
+            return {
+                raw: parsed,
+                normalized: (0, secrets_1.assertValidSecretKeyList)(parsed, "SKILL.md required_secrets"),
+            };
+        }
+        if (rawValue.length > 0) {
+            assertNoDuplicateSecretKeys([rawValue], "SKILL.md required_secrets");
+            return {
+                raw: [rawValue],
+                normalized: (0, secrets_1.assertValidSecretKeyList)([rawValue], "SKILL.md required_secrets"),
+            };
+        }
+        const items = [];
+        for (let itemIndex = index + 1; itemIndex < lines.length; itemIndex += 1) {
+            const itemLine = lines[itemIndex] ?? "";
+            if (itemLine.trim().length === 0) {
+                continue;
+            }
+            const itemMatch = itemLine.match(/^\s*-\s*(.+)\s*$/);
+            if (!itemMatch) {
+                break;
+            }
+            items.push(itemMatch[1].replace(/^["']|["']$/g, "").trim());
+        }
+        assertNoDuplicateSecretKeys(items, "SKILL.md required_secrets");
+        return {
+            raw: items,
+            normalized: (0, secrets_1.assertValidSecretKeyList)(items, "SKILL.md required_secrets"),
+        };
+    }
+    return {
+        raw: [],
+        normalized: [],
+    };
+}
+function parseSkillRequiredSecrets(skillMarkdownContent) {
+    const { normalized } = extractFrontmatterRequiredSecrets(extractSkillFrontmatterBlock(skillMarkdownContent));
+    return normalized;
+}
+function validateWorkflowSecretContract(contents) {
+    const declared = new Set(parseWorkflowRequiredSecrets(contents.workflowJsonContent));
+    const referenced = extractReferencedWorkflowSecrets(contents.runPyContent);
+    const missing = referenced.filter((key) => !declared.has(key));
+    if (missing.length > 0) {
+        throw {
+            status: 400,
+            message: `run.py references secret keys not declared in workflow.json required_secrets: ${missing.join(", ")}`
+        };
+    }
+}
+function validateSkillSecretContract(skillMarkdownContent) {
+    const declared = new Set(parseSkillRequiredSecrets(skillMarkdownContent));
+    const referenced = extractReferencedSkillSecrets(skillMarkdownContent);
+    const missing = referenced.filter((key) => !declared.has(key));
+    if (missing.length > 0) {
+        throw {
+            status: 400,
+            message: `SKILL.md uses secret placeholders not declared in required_secrets: ${missing.join(", ")}`
+        };
+    }
+}
+function validateWorkflowFilesAtPath(workflowPath) {
+    const workflowJsonPath = path_1.default.join(workflowPath, "workflow.json");
+    const runPyPath = path_1.default.join(workflowPath, "run.py");
+    validateWorkflowSecretContract({
+        workflowJsonContent: fs_1.default.readFileSync(workflowJsonPath, "utf-8"),
+        runPyContent: fs_1.default.readFileSync(runPyPath, "utf-8"),
+    });
+}

package/dist/utils/secrets.js

@@ -0,0 +1,127 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertSecretKey = assertSecretKey;
+exports.normalizeSecretKeyList = normalizeSecretKeyList;
+exports.assertValidSecretKeyList = assertValidSecretKeyList;
+exports.toSecretListItem = toSecretListItem;
+exports.resolveSecretsForUser = resolveSecretsForUser;
+exports.resolveSecretsFromResolvedMap = resolveSecretsFromResolvedMap;
+exports.listResolvedSecretsForUser = listResolvedSecretsForUser;
+const client_1 = __importDefault(require("../prisma/client"));
+const SECRET_KEY_REGEX = /^[A-Z][A-Z0-9_]*$/;
+function assertSecretKey(key) {
+    const normalized = key.trim().toUpperCase();
+    if (!SECRET_KEY_REGEX.test(normalized)) {
+        throw {
+            status: 400,
+            message: "Secret key must contain only uppercase letters, numbers, and underscores, and must start with a letter"
+        };
+    }
+    return normalized;
+}
+function normalizeSecretKeyList(keys) {
+    if (!Array.isArray(keys)) {
+        return [];
+    }
+    const normalized = [];
+    const seen = new Set();
+    for (const rawKey of keys) {
+        if (typeof rawKey !== "string") {
+            continue;
+        }
+        const key = rawKey.trim().toUpperCase();
+        if (!SECRET_KEY_REGEX.test(key) || seen.has(key)) {
+            continue;
+        }
+        seen.add(key);
+        normalized.push(key);
+    }
+    return normalized;
+}
+function assertValidSecretKeyList(rawKeys, context) {
+    if (!Array.isArray(rawKeys)) {
+        return [];
+    }
+    const invalidKeys = rawKeys
+        .filter((rawKey) => typeof rawKey === "string")
+        .map((rawKey) => rawKey.trim())
+        .filter((key) => key.length > 0 && !SECRET_KEY_REGEX.test(key.toUpperCase()));
+    if (invalidKeys.length > 0) {
+        throw {
+            status: 400,
+            message: `${context} contains invalid required secret keys: ${invalidKeys.join(", ")}. Secret keys must start with a letter and contain only uppercase letters, numbers, and underscores. Example: GITHUB_TOKEN`
+        };
+    }
+    return normalizeSecretKeyList(rawKeys);
+}
+function maskSecretValue(value) {
+    if (value.length === 0) {
+        return "***";
+    }
+    const suffixLength = value.length <= 4 ? 1 : 4;
+    return `***${value.slice(-suffixLength)}`;
+}
+function toSecretListItem(row, maskValueForClient) {
+    return {
+        key: row.key,
+        value: maskValueForClient ? maskSecretValue(row.value) : row.value,
+        updated_at: row.updated_at,
+        created_at: row.created_at,
+    };
+}
+async function resolveSecretsForUser(userId, requiredKeys) {
+    const keys = normalizeSecretKeyList(requiredKeys);
+    if (keys.length === 0) {
+        return {
+            secretMap: {},
+            missingKeys: [],
+        };
+    }
+    const resolvedSecrets = await listResolvedSecretsForUser(userId);
+    return resolveSecretsFromResolvedMap(resolvedSecrets, keys);
+}
+function resolveSecretsFromResolvedMap(resolvedSecrets, requiredKeys) {
+    const keys = normalizeSecretKeyList(requiredKeys);
+    if (keys.length === 0) {
+        return {
+            secretMap: {},
+            missingKeys: [],
+        };
+    }
+    const secretMap = {};
+    const missingKeys = [];
+    for (const key of keys) {
+        const value = resolvedSecrets[key];
+        if (value !== undefined) {
+            secretMap[key] = value;
+            continue;
+        }
+        missingKeys.push(key);
+    }
+    return {
+        secretMap,
+        missingKeys,
+    };
+}
+async function listResolvedSecretsForUser(userId) {
+    const [userSecrets, globalSecrets] = await Promise.all([
+        client_1.default.user_secrets.findMany({
+            where: { user_id: userId },
+            orderBy: { key: "asc" }
+        }),
+        client_1.default.global_secrets.findMany({
+            orderBy: { key: "asc" }
+        }),
+    ]);
+    const resolvedSecretMap = {};
+    for (const row of globalSecrets) {
+        resolvedSecretMap[row.key] = row.value;
+    }
+    for (const row of userSecrets) {
+        resolvedSecretMap[row.key] = row.value;
+    }
+    return Object.fromEntries(Object.entries(resolvedSecretMap).sort(([left], [right]) => left.localeCompare(right)));
+}

package/dist/utils/skill-files.js

@@ -3,10 +3,17 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.deleteSkillPath = exports.renameSkillPath = exports.uploadSkillFileFromTempPath = exports.createSkillFileOrFolder = exports.saveSkillFileContent = exports.readSkillFileContent = exports.listSkillDirectory = void 0;
 const resource_files_1 = require("./resource-files");
 const skill_1 = require("./skill");
+const secret_contract_validation_1 = require("./secret-contract-validation");
 const skillFileManager = (0, resource_files_1.createResourceFileManager)({
     getResourcePath: skill_1.getSkillPath,
     resourceLabel: "skill",
     editorLabel: "Skill",
+    validateBeforeSave: ({ relativePath, nextContent }) => {
+        if (relativePath !== "SKILL.md") {
+            return;
+        }
+        (0, secret_contract_validation_1.validateSkillSecretContract)(nextContent);
+    }
 });
 exports.listSkillDirectory = skillFileManager.listDirectory;
 exports.readSkillFileContent = skillFileManager.readFileContent;

package/dist/utils/skill.js

@@ -14,6 +14,7 @@ const path_1 = __importDefault(require("path"));
 const client_1 = __importDefault(require("../prisma/client"));
 const workspace_sync_1 = require("./workspace-sync");
 const permission_common_1 = require("./permission-common");
+const secret_contract_validation_1 = require("./secret-contract-validation");
 function getSkillsRootPath() {
     return path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), ".agents", "skills");
 }
@@ -113,6 +114,49 @@ function extractFrontmatterValue(frontmatter, key) {
     }
     return null;
 }
+function stripYamlStringQuotes(value) {
+    return value.replace(/^["']|["']$/g, "").trim();
+}
+function extractFrontmatterStringArray(frontmatter, key) {
+    const lines = frontmatter.split("\n");
+    for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index] ?? "";
+        const match = line.match(new RegExp(`^${key}\\s*:\\s*(.*)$`));
+        if (!match) {
+            continue;
+        }
+        const rawValue = match[1]?.trim() ?? "";
+        if (rawValue.startsWith("[")) {
+            try {
+                const parsed = JSON.parse(rawValue.replace(/'/g, "\""));
+                if (Array.isArray(parsed) && parsed.every((item) => typeof item === "string")) {
+                    return parsed.map((item) => item.trim()).filter(Boolean);
+                }
+            }
+            catch {
+                return [];
+            }
+            return [];
+        }
+        if (rawValue.length > 0) {
+            return [stripYamlStringQuotes(rawValue)].filter(Boolean);
+        }
+        const items = [];
+        for (let itemIndex = index + 1; itemIndex < lines.length; itemIndex += 1) {
+            const itemLine = lines[itemIndex] ?? "";
+            if (itemLine.trim().length === 0) {
+                continue;
+            }
+            const itemMatch = itemLine.match(/^\s*-\s*(.+)\s*$/);
+            if (!itemMatch) {
+                break;
+            }
+            items.push(stripYamlStringQuotes(itemMatch[1]?.trim() ?? ""));
+        }
+        return items.filter(Boolean);
+    }
+    return [];
+}
 function readSkillManifest(slug) {
     const skillManifestPath = getSkillManifestPath(slug);
     if (!fs_1.default.existsSync(skillManifestPath)) {
@@ -126,9 +170,13 @@ function readSkillManifest(slug) {
     const frontmatter = frontmatterMatch?.[1] ?? "";
     const name = extractFrontmatterValue(frontmatter, "name") ?? slug;
     const description = extractFrontmatterValue(frontmatter, "description") ?? "";
+    // Keep manifest reads lenient so malformed skills still show up in browse/editor flows and can be repaired.
+    // Strict secret-contract validation is enforced on save and at runtime via getSkillContent.
+    const requiredSecrets = extractFrontmatterStringArray(frontmatter, "required_secrets");
     return {
         name,
         description,
+        required_secrets: requiredSecrets,
     };
 }
 function toSkillFrontmatterValue(value) {
@@ -174,7 +222,8 @@ async function createSkill(input) {
     }
     fs_1.default.mkdirSync(skillPath, { recursive: false });
     const skillMdPath = getSkillManifestPath(slug);
-    const body = `---\nname: ${toSkillFrontmatterValue(name)}\ndescription: ${toSkillFrontmatterValue("")}\n---\n\n# ${name}\n\nDescribe what this skill does.\n\n## Instructions\n\nAdd detailed, actionable instructions for the agent here.\n`;
+    const body = `---\nname: ${toSkillFrontmatterValue(name)}\ndescription: ${toSkillFrontmatterValue("")}\nrequired_secrets: []\n---\n\n# ${name}\n\nDescribe what this skill does.\n\n## Instructions\n\nAdd detailed, actionable instructions for the agent here.\n`;
+    (0, secret_contract_validation_1.validateSkillSecretContract)(body);
     fs_1.default.writeFileSync(skillMdPath, body, "utf-8");
     const now = BigInt(Date.now());
     await client_1.default.$transaction(async (tx) => {

package/dist/utils/workflow-runner.js

@@ -44,6 +44,8 @@ const fsp = __importStar(require("fs/promises"));
 const path = __importStar(require("path"));
 const client_1 = __importDefault(require("../prisma/client"));
 const workflow_interruption_1 = require("./workflow-interruption");
+const secrets_1 = require("./secrets");
+const secret_contract_validation_1 = require("./secret-contract-validation");
 const MAX_OUTPUT_CHARS = 300000;
 const SLUG_REGEX = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
 function sanitizeFilenamePart(value) {
@@ -226,7 +228,7 @@ async function requestWorkflowPermission(opencodeSessionId, messageId, callId) {
     });
     throw new Error("Permission request timed out");
 }
-function runWithTimeout(workflowPath, args, timeoutSeconds, outputFilePath, shouldAbort) {
+function runWithTimeout(workflowPath, args, timeoutSeconds, outputFilePath, shouldAbort, resolvedSecretMap) {
     return new Promise((resolve) => {
         const venvPython = getVenvPythonPath(workflowPath);
         const runScript = path.join(workflowPath, "run.py");
@@ -256,6 +258,7 @@ function runWithTimeout(workflowPath, args, timeoutSeconds, outputFilePath, shou
             cwd: workflowPath,
             env: {
                 ...process.env,
+                ...resolvedSecretMap,
                 PYTHONUNBUFFERED: "1",
                 VIRTUAL_ENV: path.join(workflowPath, ".venv"),
                 PATH: [venvBinDir, process.env.PATH ?? ""].filter(Boolean).join(path.delimiter),
@@ -359,18 +362,30 @@ async function startWorkflowRunViaBackend(options) {
         throw new Error("Invalid workflow path (must be inside workflows/).");
     }
     await assertDirectory(workflowPath);
-    await assertPathExists(path.join(workflowPath, "run.py"));
+    const runPyPath = path.join(workflowPath, "run.py");
+    await assertPathExists(runPyPath);
     await assertVenvExists(workflowPath);
     await assertPathExists(getVenvPythonPath(workflowPath));
     if (options.requirePermissionPrompt) {
         await requestWorkflowPermission(options.sessionId, options.messageId, options.callId);
     }
-    const workflowJson = JSON.parse(await fsp.readFile(path.join(workflowPath, "workflow.json"), "utf-8"));
+    const workflowJsonContent = await fsp.readFile(path.join(workflowPath, "workflow.json"), "utf-8");
+    const runPyContent = await fsp.readFile(runPyPath, "utf-8");
+    (0, secret_contract_validation_1.validateWorkflowSecretContract)({
+        workflowJsonContent,
+        runPyContent,
+    });
+    const workflowJson = JSON.parse(workflowJsonContent);
     const inputSchema = workflowJson.inputs || {};
+    const requiredSecrets = (0, secrets_1.normalizeSecretKeyList)(workflowJson.required_secrets);
     const validation = validateInputs(options.inputs, inputSchema);
     if (!validation.valid) {
         throw new Error(`Input validation failed: ${JSON.stringify(validation.errors)}`);
     }
+    const secretResolution = await (0, secrets_1.resolveSecretsForUser)(options.authUserId, requiredSecrets);
+    if (secretResolution.missingKeys.length > 0) {
+        throw new Error(`Missing required secrets: ${secretResolution.missingKeys.join(", ")}. Add these keys in your profile secrets before running this workflow.`);
+    }
     const timeoutSeconds = parseTimeoutSeconds(workflowJson.runtime?.timeout_seconds);
     if (!timeoutSeconds) {
         throw new Error(`Could not read runtime.timeout_seconds from workflow.json for '${options.slug}'`);
@@ -394,7 +409,7 @@ async function startWorkflowRunViaBackend(options) {
     const completion = (async () => {
         const runResult = await runWithTimeout(workflowPath, cmdArgs, timeoutSeconds, outputFilePath, async () => {
             return await (0, workflow_interruption_1.isWorkflowSessionInterrupted)(options.sessionId, options.workspaceDir);
-        });
+        }, secretResolution.secretMap);
         const finalStatus = runResult.status === "success" ? "success" : "failed";
         await client_1.default.workflow_runs.update({
             where: { id: createdRun.id },

package/dist/utils/workflow.js

@@ -15,6 +15,7 @@ const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const client_1 = __importDefault(require("../prisma/client"));
 const assert_1 = require("./assert");
+const secret_contract_validation_1 = require("./secret-contract-validation");
 const workflow_permissions_1 = require("./workflow-permissions");
 const workspace_sync_1 = require("./workspace-sync");
 /** Get the absolute path to the workspace directory */
@@ -70,7 +71,18 @@ function readWorkflowManifest(slug) {
         };
     }
     const content = fs_1.default.readFileSync(manifestPath, "utf-8");
-    return JSON.parse(content);
+    let manifest;
+    try {
+        manifest = JSON.parse(content);
+    }
+    catch {
+        throw {
+            status: 400,
+            message: `Workflow "${slug}" has an invalid workflow.json file. workflow.json must contain valid JSON.`
+        };
+    }
+    manifest.required_secrets = (0, secret_contract_validation_1.parseWorkflowRequiredSecrets)(content);
+    return manifest;
 }
 async function readWorkflowManifestAndEnsurePermissions(slug) {
     const manifest = readWorkflowManifest(slug);

package/dist/workflows/index.js

@@ -23,6 +23,8 @@ const workflow_interruption_1 = require("../utils/workflow-interruption");
 const session_abort_1 = require("../utils/session-abort");
 const resource_file_routes_1 = require("../utils/resource-file-routes");
 const resource_access_1 = require("../utils/resource-access");
+const secrets_1 = require("../utils/secrets");
+const secret_contract_validation_1 = require("../utils/secret-contract-validation");
 const router = express_1.default.Router({ mergeParams: true });
 const uploadTmpDir = path_1.default.join(os_1.default.tmpdir(), "teamcopilot-workflow-uploads");
 fs_1.default.mkdirSync(uploadTmpDir, { recursive: true });
@@ -102,6 +104,7 @@ router.get('/', (0, index_1.apiHandler)(async (req, res) => {
     const creatorIds = new Set();
     const manifests = new Map();
     const metadataBySlug = new Map();
+    const resolvedSecrets = await (0, secrets_1.listResolvedSecretsForUser)(req.userId);
     for (const slug of slugs) {
         const { manifest, metadata } = await (0, workflow_1.readWorkflowManifestAndEnsurePermissions)(slug);
         manifests.set(slug, manifest);
@@ -142,7 +145,9 @@ router.get('/', (0, index_1.apiHandler)(async (req, res) => {
             can_view: accessSummary.can_view,
             can_edit: accessSummary.can_edit,
             permission_mode: accessSummary.permission_mode,
-            is_locked_due_to_missing_users: accessSummary.is_locked_due_to_missing_users
+            is_locked_due_to_missing_users: accessSummary.is_locked_due_to_missing_users,
+            required_secrets: manifest.required_secrets ?? [],
+            missing_required_secrets: (0, secrets_1.resolveSecretsFromResolvedMap)(resolvedSecrets, manifest.required_secrets ?? []).missingKeys,
         });
     }
     res.json({ workflows });
@@ -495,6 +500,7 @@ router.post('/:slug/creator', (0, index_1.apiHandler)(async (req, res) => {
     const updatedMetadata = existingCreator
         ? metadata
         : await (0, workflow_1.setWorkflowCreator)(slug, req.userId);
+    (0, secret_contract_validation_1.validateWorkflowFilesAtPath)(path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), "workflows", slug));
     await (0, workflow_permissions_1.initializeWorkflowRunPermissionsForCreator)(slug, req.userId);
     res.json({
         workflow: {
@@ -566,6 +572,7 @@ router.get('/:slug', (0, index_1.apiHandler)(async (req, res) => {
     const { manifest, metadata } = await (0, workflow_1.readWorkflowManifestAndEnsurePermissions)(slug);
     const permission = await (0, workflow_permissions_1.getWorkflowRunPermissionWithUsers)(slug);
     const accessSummary = await (0, resource_access_1.getResourceAccessSummary)("workflow", slug, req.userId);
+    const secretResolution = await (0, secrets_1.resolveSecretsForUser)(req.userId, manifest.required_secrets ?? []);
     const createdByUserId = metadata.created_by_user_id ?? null;
     const approvedByUserId = metadata.approved_by_user_id ?? null;
     const userIds = [createdByUserId, approvedByUserId].filter((id) => typeof id === "string");
@@ -598,6 +605,8 @@ router.get('/:slug', (0, index_1.apiHandler)(async (req, res) => {
             can_edit: accessSummary.can_edit,
             permission_mode: accessSummary.permission_mode,
             is_locked_due_to_missing_users: accessSummary.is_locked_due_to_missing_users,
+            required_secrets: manifest.required_secrets ?? [],
+            missing_required_secrets: secretResolution.missingKeys,
             permissions,
             allowed_users_resolved: permission.allowedUsers.map((row) => ({
                 user_id: row.user.id,

package/dist/workspace_files/.opencode/plugins/createSkill.ts

@@ -176,29 +176,6 @@ async function requestCreationPermission(
   throw new Error("Permission request timed out")
 }
 
-function stripLeadingFrontmatter(markdown: string): string {
-  const trimmedStart = markdown.trimStart()
-  if (!trimmedStart.startsWith("---\n")) {
-    return markdown.trim()
-  }
-
-  const frontmatterEnd = trimmedStart.indexOf("\n---\n", 4)
-  if (frontmatterEnd < 0) {
-    return markdown.trim()
-  }
-
-  return trimmedStart.slice(frontmatterEnd + "\n---\n".length).trim()
-}
-
-function buildSkillMarkdown(
-  slug: string,
-  description: string,
-  markdownContent: string
-): string {
-  const body = stripLeadingFrontmatter(markdownContent)
-  return `---\nname: ${JSON.stringify(slug)}\ndescription: ${JSON.stringify(description)}\n---\n\n${body}\n`
-}
-
 export const CreateSkillPlugin: Plugin = async ({ client }) => {
   async function resolveRootSessionID(sessionID: string): Promise<string> {
     let currentSessionID = sessionID
@@ -327,8 +304,6 @@ export const CreateSkillPlugin: Plugin = async ({ client }) => {
             throw new Error(`SKILL.md for ${slug} is not a text file.`)
           }
 
-          const nextContent = buildSkillMarkdown(slug, description, content)
-
           const saveResponse = await fetch(`${getApiBaseUrl()}/api/skills/${encodeURIComponent(slug)}/files/content`, {
             method: "PUT",
             headers: {
@@ -337,7 +312,7 @@ export const CreateSkillPlugin: Plugin = async ({ client }) => {
             },
             body: JSON.stringify({
               path: "SKILL.md",
-              content: nextContent,
+              content,
               base_etag: filePayload.etag,
             }),
           })

package/dist/workspace_files/.opencode/plugins/createWorkflow.ts

@@ -25,6 +25,7 @@ interface WorkflowInput {
 interface WorkflowManifest {
   intent_summary: string
   inputs?: Record<string, WorkflowInput>
+  required_secrets?: string[]
   triggers?: {
     manual?: boolean
   }
@@ -230,7 +231,7 @@ export const CreateWorkflowPlugin: Plugin = async ({ client }) => {
     tool: {
       createWorkflow: tool({
         description:
-          "Create a new workflow with the specified slug and configuration. Creates the workflow folder with all required files (workflow.json, run.py, requirements.txt, etc.). The workflow will need admin approval before it can be executed.",
+          "Create a new workflow with the specified slug and configuration. Creates the workflow folder with the required files (workflow.json, run.py, requirements.txt, requirements.lock.txt, README.md). The workflow will need admin approval before it can be executed.",
         args: {
           slug: tool.schema
             .string()
@@ -324,6 +325,7 @@ export const CreateWorkflowPlugin: Plugin = async ({ client }) => {
           const workflowJson: WorkflowManifest = {
             intent_summary,
             inputs: inputs as Record<string, WorkflowInput>,
+            required_secrets: [],
             triggers: { manual: true },
             runtime: { timeout_seconds },
           }
@@ -337,8 +339,6 @@ export const CreateWorkflowPlugin: Plugin = async ({ client }) => {
           await fs.writeFile(path.join(workflowDir, "run.py"), "", "utf-8")
           await fs.writeFile(path.join(workflowDir, "requirements.txt"), "", "utf-8")
           await fs.writeFile(path.join(workflowDir, "requirements.lock.txt"), "", "utf-8")
-          await fs.writeFile(path.join(workflowDir, ".env"), "", "utf-8")
-          await fs.writeFile(path.join(workflowDir, ".env.example"), "", "utf-8")
           await fs.writeFile(path.join(workflowDir, "README.md"), "", "utf-8")
 
           const creatorResponse = await fetch(