vskill 0.1.0 → 0.1.2

package/dist/security/platform-security.js

@@ -0,0 +1,34 @@
+// ---------------------------------------------------------------------------
+// Platform security check — queries external SAST scan results (best-effort)
+// ---------------------------------------------------------------------------
+const BASE_URL = "https://verified-skill.com";
+/**
+ * Check external SAST scan results from the platform API.
+ * Returns null on any network/API error (best-effort, non-fatal).
+ */
+export async function checkPlatformSecurity(skillName) {
+    try {
+        const url = `${BASE_URL}/api/v1/skills/${encodeURIComponent(skillName)}/security`;
+        const res = await fetch(url);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        const providers = (data.providers || []).map((p) => ({
+            provider: String(p.provider || ""),
+            status: String(p.status || "PENDING"),
+            verdict: p.verdict ?? null,
+            criticalCount: Number(p.criticalCount ?? 0),
+        }));
+        const hasCritical = providers.some((p) => p.status === "FAIL" && p.criticalCount > 0);
+        return {
+            hasCritical,
+            overallVerdict: String(data.overallVerdict || "PENDING"),
+            providers,
+            reportUrl: String(data.reportUrl || ""),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=platform-security.js.map

package/dist/security/platform-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-security.js","sourceRoot":"","sources":["../../src/security/platform-security.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAE9E,MAAM,QAAQ,GAAG,4BAA4B,CAAC;AAgB9C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,QAAQ,kBAAkB,kBAAkB,CAAC,SAAS,CAAC,WAAW,CAAC;QAClF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAE7B,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAS7B,CAAC;QAEF,MAAM,SAAS,GAAqB,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC;YAClC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,IAAI,SAAS,CAAC;YACrC,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,IAAI;YAC1B,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC;SAC5C,CAAC,CAAC,CAAC;QAEJ,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,CAAC,aAAa,GAAG,CAAC,CAClD,CAAC;QAEF,OAAO;YACL,WAAW;YACX,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc,IAAI,SAAS,CAAC;YACxD,SAAS;YACT,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;SACxC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/security/platform-security.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/platform-security.test.js

@@ -0,0 +1,92 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { checkPlatformSecurity } from "./platform-security.js";
+// ---------------------------------------------------------------------------
+// Mock global fetch
+// ---------------------------------------------------------------------------
+const originalFetch = globalThis.fetch;
+beforeEach(() => {
+    vi.clearAllMocks();
+});
+afterEach(() => {
+    globalThis.fetch = originalFetch;
+});
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makePlatformResponse(overrides = {}) {
+    return {
+        overallVerdict: "PASS",
+        reportUrl: "/skills/test-skill/security",
+        providers: [
+            {
+                provider: "semgrep",
+                status: "PASS",
+                verdict: "clean",
+                criticalCount: 0,
+            },
+        ],
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("checkPlatformSecurity", () => {
+    it("returns hasCritical: true when a provider has FAIL + criticalCount > 0", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: async () => makePlatformResponse({
+                overallVerdict: "FAIL",
+                providers: [
+                    { provider: "semgrep", status: "FAIL", verdict: "critical", criticalCount: 3 },
+                    { provider: "snyk", status: "PASS", verdict: "clean", criticalCount: 0 },
+                ],
+            }),
+        });
+        const result = await checkPlatformSecurity("evil-skill");
+        expect(result).not.toBeNull();
+        expect(result.hasCritical).toBe(true);
+        expect(result.overallVerdict).toBe("FAIL");
+        expect(result.providers).toHaveLength(2);
+        expect(result.providers[0].criticalCount).toBe(3);
+    });
+    it("returns hasCritical: false when all providers PASS", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: async () => makePlatformResponse(),
+        });
+        const result = await checkPlatformSecurity("safe-skill");
+        expect(result).not.toBeNull();
+        expect(result.hasCritical).toBe(false);
+        expect(result.overallVerdict).toBe("PASS");
+    });
+    it("returns null on network error", async () => {
+        globalThis.fetch = vi.fn().mockRejectedValue(new Error("Network unreachable"));
+        const result = await checkPlatformSecurity("any-skill");
+        expect(result).toBeNull();
+    });
+    it("returns null on 404 response", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 404,
+        });
+        const result = await checkPlatformSecurity("unknown-skill");
+        expect(result).toBeNull();
+    });
+    it("returns hasCritical: false when status is PENDING (does not block)", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: async () => makePlatformResponse({
+                overallVerdict: "PENDING",
+                providers: [
+                    { provider: "semgrep", status: "PENDING", verdict: null, criticalCount: 0 },
+                ],
+            }),
+        });
+        const result = await checkPlatformSecurity("pending-skill");
+        expect(result).not.toBeNull();
+        expect(result.hasCritical).toBe(false);
+        expect(result.overallVerdict).toBe("PENDING");
+    });
+});
+//# sourceMappingURL=platform-security.test.js.map

package/dist/security/platform-security.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-security.test.js","sourceRoot":"","sources":["../../src/security/platform-security.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;AAEvC,UAAU,CAAC,GAAG,EAAE;IACd,EAAE,CAAC,aAAa,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,UAAU,CAAC,KAAK,GAAG,aAAa,CAAC;AACnC,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,oBAAoB,CAAC,YAAqC,EAAE;IACnE,OAAO;QACL,cAAc,EAAE,MAAM;QACtB,SAAS,EAAE,6BAA6B;QACxC,SAAS,EAAE;YACT;gBACE,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,OAAO;gBAChB,aAAa,EAAE,CAAC;aACjB;SACF;QACD,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAC3C,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CACf,oBAAoB,CAAC;gBACnB,cAAc,EAAE,MAAM;gBACtB,SAAS,EAAE;oBACT,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,EAAE;oBAC9E,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,EAAE;iBACzE;aACF,CAAC;SACL,CAA4B,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAEzD,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,MAAO,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAC3C,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,oBAAoB,EAAE;SACzC,CAA4B,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAEzD,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,CAAC,MAAO,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAC1C,IAAI,KAAK,CAAC,qBAAqB,CAAC,CACN,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAC3C,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;SACZ,CAA4B,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAE5D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAC3C,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,KAAK,IAAI,EAAE,CACf,oBAAoB,CAAC;gBACnB,cAAc,EAAE,SAAS;gBACzB,SAAS,EAAE;oBACT,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,EAAE;iBAC5E;aACF,CAAC;SACL,CAA4B,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,eAAe,CAAC,CAAC;QAE5D,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,CAAC,MAAO,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/settings/index.d.ts

@@ -0,0 +1,2 @@
+export type { SettingsOptions } from "./settings.js";
+export { enablePlugin, disablePlugin, isPluginEnabled } from "./settings.js";

package/dist/settings/index.js

@@ -0,0 +1,2 @@
+export { enablePlugin, disablePlugin, isPluginEnabled } from "./settings.js";
+//# sourceMappingURL=index.js.map

package/dist/settings/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/settings/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC"}

package/dist/settings/settings.d.ts

@@ -0,0 +1,16 @@
+export interface SettingsOptions {
+    scope: "user" | "project";
+    projectDir?: string;
+}
+/**
+ * Enable a plugin in settings.json.
+ */
+export declare function enablePlugin(pluginId: string, opts: SettingsOptions): void;
+/**
+ * Disable a plugin in settings.json (set to false).
+ */
+export declare function disablePlugin(pluginId: string, opts: SettingsOptions): void;
+/**
+ * Check if a plugin is enabled in settings.json.
+ */
+export declare function isPluginEnabled(pluginId: string, opts: SettingsOptions): boolean;

package/dist/settings/settings.js

@@ -0,0 +1,73 @@
+// ---------------------------------------------------------------------------
+// Claude Code settings.json management
+// ---------------------------------------------------------------------------
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir } from "node:os";
+/**
+ * Resolves the path to settings.json based on scope.
+ * - user: ~/.claude/settings.json
+ * - project: <projectDir>/.claude/settings.json
+ */
+function settingsPath(opts) {
+    if (opts.scope === "project" && opts.projectDir) {
+        return join(opts.projectDir, ".claude", "settings.json");
+    }
+    return join(homedir(), ".claude", "settings.json");
+}
+/**
+ * Reads settings.json, returning an empty object if it doesn't exist.
+ */
+function readSettings(opts) {
+    const p = settingsPath(opts);
+    if (!existsSync(p))
+        return {};
+    try {
+        const raw = readFileSync(p, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Writes settings.json, creating parent directories if needed.
+ */
+function writeSettings(settings, opts) {
+    const p = settingsPath(opts);
+    const dir = dirname(p);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(p, JSON.stringify(settings, null, 2) + "\n", "utf-8");
+}
+/**
+ * Enable a plugin in settings.json.
+ */
+export function enablePlugin(pluginId, opts) {
+    const settings = readSettings(opts);
+    if (!settings.enabledPlugins) {
+        settings.enabledPlugins = {};
+    }
+    settings.enabledPlugins[pluginId] = true;
+    writeSettings(settings, opts);
+}
+/**
+ * Disable a plugin in settings.json (set to false).
+ */
+export function disablePlugin(pluginId, opts) {
+    const settings = readSettings(opts);
+    if (!settings.enabledPlugins) {
+        settings.enabledPlugins = {};
+    }
+    settings.enabledPlugins[pluginId] = false;
+    writeSettings(settings, opts);
+}
+/**
+ * Check if a plugin is enabled in settings.json.
+ */
+export function isPluginEnabled(pluginId, opts) {
+    const settings = readSettings(opts);
+    return settings.enabledPlugins?.[pluginId] === true;
+}
+//# sourceMappingURL=settings.js.map

package/dist/settings/settings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../src/settings/settings.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,uCAAuC;AACvC,8EAA8E;AAE9E,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAYlC;;;;GAIG;AACH,SAAS,YAAY,CAAC,IAAqB;IACzC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAqB;IACzC,MAAM,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAsB,EAAE,IAAqB;IAClE,MAAM,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IACD,aAAa,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,QAAgB,EAChB,IAAqB;IAErB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,QAAQ,CAAC,cAAc,GAAG,EAAE,CAAC;IAC/B,CAAC;IACD,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IACzC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,IAAqB;IAErB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,QAAQ,CAAC,cAAc,GAAG,EAAE,CAAC;IAC/B,CAAC;IACD,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC;IAC1C,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,IAAqB;IAErB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,OAAO,QAAQ,CAAC,cAAc,EAAE,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC;AACtD,CAAC"}

package/dist/settings/settings.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/settings/settings.test.js

@@ -0,0 +1,103 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+// ---------------------------------------------------------------------------
+// Mock node:fs
+// ---------------------------------------------------------------------------
+const mockReadFileSync = vi.fn();
+const mockWriteFileSync = vi.fn();
+const mockExistsSync = vi.fn();
+const mockMkdirSync = vi.fn();
+vi.mock("node:fs", () => ({
+    readFileSync: (...args) => mockReadFileSync(...args),
+    writeFileSync: (...args) => mockWriteFileSync(...args),
+    existsSync: (...args) => mockExistsSync(...args),
+    mkdirSync: (...args) => mockMkdirSync(...args),
+}));
+// ---------------------------------------------------------------------------
+// Mock node:os (homedir)
+// ---------------------------------------------------------------------------
+vi.mock("node:os", () => ({
+    homedir: () => "/home/testuser",
+}));
+// Import after mocks are set up
+const { enablePlugin, disablePlugin, isPluginEnabled } = await import("./settings.js");
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+beforeEach(() => {
+    vi.clearAllMocks();
+});
+describe("enablePlugin", () => {
+    it("TC-010: enables plugin in empty/new settings.json", () => {
+        // settings.json doesn't exist
+        mockExistsSync.mockReturnValue(false);
+        enablePlugin("sw-frontend@specweave", { scope: "user" });
+        // Should write to ~/.claude/settings.json
+        expect(mockWriteFileSync).toHaveBeenCalledTimes(1);
+        const [writePath, writtenContent] = mockWriteFileSync.mock.calls[0];
+        expect(writePath).toBe("/home/testuser/.claude/settings.json");
+        const parsed = JSON.parse(writtenContent);
+        expect(parsed).toEqual({
+            enabledPlugins: { "sw-frontend@specweave": true },
+        });
+    });
+    it("TC-011: project scope writes to correct location", () => {
+        mockExistsSync.mockReturnValue(false);
+        enablePlugin("sw-frontend@specweave", {
+            scope: "project",
+            projectDir: "/tmp/test-project",
+        });
+        expect(mockWriteFileSync).toHaveBeenCalledTimes(1);
+        const [writePath] = mockWriteFileSync.mock.calls[0];
+        expect(writePath).toBe("/tmp/test-project/.claude/settings.json");
+    });
+    it("TC-012: preserves existing settings when adding plugin", () => {
+        mockExistsSync.mockReturnValue(true);
+        mockReadFileSync.mockReturnValue(JSON.stringify({
+            theme: "dark",
+            enabledPlugins: { other: true },
+        }));
+        enablePlugin("sw-frontend@specweave", { scope: "user" });
+        expect(mockWriteFileSync).toHaveBeenCalledTimes(1);
+        const [, writtenContent] = mockWriteFileSync.mock.calls[0];
+        const parsed = JSON.parse(writtenContent);
+        expect(parsed).toEqual({
+            theme: "dark",
+            enabledPlugins: {
+                other: true,
+                "sw-frontend@specweave": true,
+            },
+        });
+    });
+});
+describe("disablePlugin", () => {
+    it("sets plugin to false in settings.json", () => {
+        mockExistsSync.mockReturnValue(true);
+        mockReadFileSync.mockReturnValue(JSON.stringify({
+            enabledPlugins: { "sw-frontend@specweave": true },
+        }));
+        disablePlugin("sw-frontend@specweave", { scope: "user" });
+        expect(mockWriteFileSync).toHaveBeenCalledTimes(1);
+        const [, writtenContent] = mockWriteFileSync.mock.calls[0];
+        const parsed = JSON.parse(writtenContent);
+        expect(parsed.enabledPlugins["sw-frontend@specweave"]).toBe(false);
+    });
+});
+describe("isPluginEnabled", () => {
+    it("returns true when plugin is enabled", () => {
+        mockExistsSync.mockReturnValue(true);
+        mockReadFileSync.mockReturnValue(JSON.stringify({
+            enabledPlugins: { "sw-frontend@specweave": true },
+        }));
+        expect(isPluginEnabled("sw-frontend@specweave", { scope: "user" })).toBe(true);
+    });
+    it("returns false when settings.json does not exist", () => {
+        mockExistsSync.mockReturnValue(false);
+        expect(isPluginEnabled("sw-frontend@specweave", { scope: "user" })).toBe(false);
+    });
+    it("returns false when plugin is not in settings", () => {
+        mockExistsSync.mockReturnValue(true);
+        mockReadFileSync.mockReturnValue(JSON.stringify({ enabledPlugins: {} }));
+        expect(isPluginEnabled("sw-frontend@specweave", { scope: "user" })).toBe(false);
+    });
+});
+//# sourceMappingURL=settings.test.js.map

package/dist/settings/settings.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.test.js","sourceRoot":"","sources":["../../src/settings/settings.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAE9D,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAC9E,MAAM,gBAAgB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AACjC,MAAM,iBAAiB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAClC,MAAM,cAAc,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAC/B,MAAM,aAAa,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;AAE9B,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;IACxB,YAAY,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;IAC/D,aAAa,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,iBAAiB,CAAC,GAAG,IAAI,CAAC;IACjE,UAAU,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC;IAC3D,SAAS,EAAE,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;CAC1D,CAAC,CAAC,CAAC;AAEJ,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAC9E,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;IACxB,OAAO,EAAE,GAAG,EAAE,CAAC,gBAAgB;CAChC,CAAC,CAAC,CAAC;AAEJ,gCAAgC;AAChC,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CACnE,eAAe,CAChB,CAAC;AAEF,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAC9E,UAAU,CAAC,GAAG,EAAE;IACd,EAAE,CAAC,aAAa,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,8BAA8B;QAC9B,cAAc,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAEtC,YAAY,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzD,0CAA0C;QAC1C,MAAM,CAAC,iBAAiB,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACpE,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,cAAc,EAAE,EAAE,uBAAuB,EAAE,IAAI,EAAE;SAClD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,cAAc,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAEtC,YAAY,CAAC,uBAAuB,EAAE;YACpC,KAAK,EAAE,SAAS;YAChB,UAAU,EAAE,mBAAmB;SAChC,CAAC,CAAC;QAEH,MAAM,CAAC,iBAAiB,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,SAAS,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,gBAAgB,CAAC,eAAe,CAC9B,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,MAAM;YACb,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;SAChC,CAAC,CACH,CAAC;QAEF,YAAY,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAEzD,MAAM,CAAC,iBAAiB,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,EAAE,cAAc,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,KAAK,EAAE,MAAM;YACb,cAAc,EAAE;gBACd,KAAK,EAAE,IAAI;gBACX,uBAAuB,EAAE,IAAI;aAC9B;SACF,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,gBAAgB,CAAC,eAAe,CAC9B,IAAI,CAAC,SAAS,CAAC;YACb,cAAc,EAAE,EAAE,uBAAuB,EAAE,IAAI,EAAE;SAClD,CAAC,CACH,CAAC;QAEF,aAAa,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAE1D,MAAM,CAAC,iBAAiB,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,EAAE,cAAc,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,gBAAgB,CAAC,eAAe,CAC9B,IAAI,CAAC,SAAS,CAAC;YACb,cAAc,EAAE,EAAE,uBAAuB,EAAE,IAAI,EAAE;SAClD,CAAC,CACH,CAAC;QAEF,MAAM,CACJ,eAAe,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAC5D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,cAAc,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAEtC,MAAM,CACJ,eAAe,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAC5D,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,cAAc,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACrC,gBAAgB,CAAC,eAAe,CAC9B,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC,CACvC,CAAC;QAEF,MAAM,CACJ,eAAe,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAC5D,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/__tests__/paths.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/__tests__/paths.test.js

@@ -0,0 +1,22 @@
+import { describe, it, expect } from "vitest";
+import os from "node:os";
+import { resolveTilde } from "../paths.js";
+describe("resolveTilde (T-004)", () => {
+    const home = os.homedir();
+    it("TC-009: resolves ~ to home directory", () => {
+        expect(resolveTilde("~/some/path")).toBe(`${home}/some/path`);
+    });
+    it("TC-010: passes through absolute paths unchanged", () => {
+        expect(resolveTilde("/usr/local/bin")).toBe("/usr/local/bin");
+    });
+    it("TC-011: passes through relative paths unchanged", () => {
+        expect(resolveTilde("./local/dir")).toBe("./local/dir");
+    });
+    it("resolves bare ~ to home directory", () => {
+        expect(resolveTilde("~")).toBe(home);
+    });
+    it("does not resolve tilde in middle of path", () => {
+        expect(resolveTilde("/some/~/path")).toBe("/some/~/path");
+    });
+});
+//# sourceMappingURL=paths.test.js.map

package/dist/utils/__tests__/paths.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.test.js","sourceRoot":"","sources":["../../../src/utils/__tests__/paths.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE1B,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/__tests__/validation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/__tests__/validation.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect } from "vitest";
+import { validateRepoSegment, validateSkillName } from "../validation.js";
+describe("validateRepoSegment (T-011)", () => {
+    it("TC-023: accepts valid owner/repo names", () => {
+        expect(validateRepoSegment("my-org")).toBe(true);
+        expect(validateRepoSegment("user.name")).toBe(true);
+        expect(validateRepoSegment("repo_123")).toBe(true);
+        expect(validateRepoSegment("A-Z_test.repo")).toBe(true);
+    });
+    it("TC-024: rejects path traversal", () => {
+        expect(validateRepoSegment("../etc/passwd")).toBe(false);
+        expect(validateRepoSegment("..")).toBe(false);
+        expect(validateRepoSegment("foo/../bar")).toBe(false);
+    });
+    it("TC-025: rejects null bytes", () => {
+        expect(validateRepoSegment("repo\x00name")).toBe(false);
+    });
+    it("rejects slashes", () => {
+        expect(validateRepoSegment("owner/repo")).toBe(false);
+    });
+    it("rejects empty string", () => {
+        expect(validateRepoSegment("")).toBe(false);
+    });
+    it("rejects spaces", () => {
+        expect(validateRepoSegment("my repo")).toBe(false);
+    });
+});
+describe("validateSkillName (T-011)", () => {
+    it("TC-026: accepts valid skill names", () => {
+        expect(validateSkillName("my-skill")).toBe(true);
+        expect(validateSkillName("skill_v2")).toBe(true);
+        expect(validateSkillName("code-review")).toBe(true);
+    });
+    it("TC-027: rejects path traversal", () => {
+        expect(validateSkillName("../../malicious")).toBe(false);
+        expect(validateSkillName("../..")).toBe(false);
+        expect(validateSkillName("skill/../../etc")).toBe(false);
+    });
+    it("rejects backslash traversal", () => {
+        expect(validateSkillName("..\\..\\malicious")).toBe(false);
+    });
+    it("rejects null bytes", () => {
+        expect(validateSkillName("skill\x00name")).toBe(false);
+    });
+    it("rejects empty string", () => {
+        expect(validateSkillName("")).toBe(false);
+    });
+});
+//# sourceMappingURL=validation.test.js.map

package/dist/utils/__tests__/validation.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.test.js","sourceRoot":"","sources":["../../../src/utils/__tests__/validation.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE1E,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,CAAC,mBAAmB,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,mBAAmB,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,mBAAmB,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;QACzB,MAAM,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE;QACxB,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/browser.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Open a URL in the user's default browser.
+ * Uses execFile (not exec) to avoid shell command injection.
+ * Platform-specific: open (macOS), xdg-open (Linux), start (Windows).
+ */
+export declare function openBrowser(url: string): Promise<void>;

package/dist/utils/browser.js

@@ -0,0 +1,37 @@
+// ---------------------------------------------------------------------------
+// Cross-platform browser opener
+// ---------------------------------------------------------------------------
+import { execFile } from "node:child_process";
+/**
+ * Open a URL in the user's default browser.
+ * Uses execFile (not exec) to avoid shell command injection.
+ * Platform-specific: open (macOS), xdg-open (Linux), start (Windows).
+ */
+export function openBrowser(url) {
+    const platform = process.platform;
+    let cmd;
+    let args;
+    if (platform === "darwin") {
+        cmd = "open";
+        args = [url];
+    }
+    else if (platform === "win32") {
+        cmd = "cmd";
+        args = ["/c", "start", "", url];
+    }
+    else {
+        cmd = "xdg-open";
+        args = [url];
+    }
+    return new Promise((resolve, reject) => {
+        execFile(cmd, args, (err) => {
+            if (err) {
+                reject(err);
+            }
+            else {
+                resolve();
+            }
+        });
+    });
+}
+//# sourceMappingURL=browser.js.map

package/dist/utils/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../../src/utils/browser.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,GAAW,CAAC;IAChB,IAAI,IAAc,CAAC;IAEnB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,GAAG,GAAG,MAAM,CAAC;QACb,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,GAAG,GAAG,KAAK,CAAC;QACZ,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,UAAU,CAAC;QACjB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;YAC1B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;iBAAM,CAAC;gBACN,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/utils/paths.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Resolve leading `~` in a path to the user's home directory.
+ * Passes through absolute and relative paths unchanged.
+ */
+export declare function resolveTilde(p: string): string;

package/dist/utils/paths.js

@@ -0,0 +1,13 @@
+import os from "node:os";
+/**
+ * Resolve leading `~` in a path to the user's home directory.
+ * Passes through absolute and relative paths unchanged.
+ */
+export function resolveTilde(p) {
+    if (p === "~")
+        return os.homedir();
+    if (p.startsWith("~/"))
+        return os.homedir() + p.slice(1);
+    return p;
+}
+//# sourceMappingURL=paths.js.map

package/dist/utils/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,CAAS;IACpC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC;IACnC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/utils/validation.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Input validation utilities for CLI arguments.
+ * Prevents path traversal and injection attacks.
+ */
+/**
+ * Validate an owner or repo name segment.
+ * Only allows word chars, dots, and hyphens.
+ */
+export declare function validateRepoSegment(segment: string): boolean;
+/**
+ * Validate a skill name.
+ * Rejects path traversal (../, ..\) and null bytes.
+ */
+export declare function validateSkillName(name: string): boolean;

package/dist/utils/validation.js

@@ -0,0 +1,34 @@
+/**
+ * Input validation utilities for CLI arguments.
+ * Prevents path traversal and injection attacks.
+ */
+const REPO_SEGMENT_RE = /^[\w.-]+$/;
+/**
+ * Validate an owner or repo name segment.
+ * Only allows word chars, dots, and hyphens.
+ */
+export function validateRepoSegment(segment) {
+    if (!segment)
+        return false;
+    if (segment.includes("\0"))
+        return false;
+    if (segment === "." || segment === "..")
+        return false;
+    return REPO_SEGMENT_RE.test(segment);
+}
+/**
+ * Validate a skill name.
+ * Rejects path traversal (../, ..\) and null bytes.
+ */
+export function validateSkillName(name) {
+    if (!name)
+        return false;
+    if (name.includes("\0"))
+        return false;
+    if (name.includes("../") || name.includes("..\\"))
+        return false;
+    if (name === ".." || name === ".")
+        return false;
+    return true;
+}
+//# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,eAAe,GAAG,WAAW,CAAC;AAEpC;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAChE,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vskill",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "type": "module",
   "description": "Secure multi-platform AI skill installer — scan before you install",
   "bin": {
@@ -13,6 +13,7 @@
     "dev": "tsc --watch",
     "test": "vitest run",
     "clean": "rm -rf dist",
+    "preuninstall": "node scripts/preuninstall.cjs",
     "prepublishOnly": "npm run build"
   },
   "keywords": [
@@ -35,6 +36,7 @@
   "homepage": "https://verified-skill.com",
   "files": [
     "dist",
+    "scripts/preuninstall.cjs",
     "README.md"
   ],
   "devDependencies": {
@@ -46,6 +48,7 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "commander": "^14.0.3"
+    "commander": "^14.0.3",
+    "simple-git": "^3.27.0"
   }
 }