vskill 0.5.125 → 0.5.127

package/agents.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generatedAt": "2026-04-26T05:43:23.914Z",
+  "generatedAt": "2026-04-26T07:01:09.639Z",
   "agentPrefixes": [
     ".adal",
     ".agent",

package/dist/eval-server/api-routes.js

@@ -2,7 +2,7 @@
 // api-routes.ts -- REST API route handlers for the eval UI
 // ---------------------------------------------------------------------------
 import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, statSync } from "node:fs";
-import { execSync } from "node:child_process";
+import { execSync, execFileSync } from "node:child_process";
 import { join, resolve, dirname, basename } from "node:path";
 import { homedir } from "node:os";
 import { sendJson, readBody } from "./router.js";
@@ -1510,20 +1510,54 @@ export function registerRoutes(router, root, projectName) {
     // directly instead of shelling out to whatever `vskill` is on PATH (which
     // may be a different version than the studio is bundling). This guarantees
     // the disk-version reconcile from outdated.ts is applied uniformly.
+    //
+    // 0747 T-002: enrich each row with `installLocations[]`, `localPlugin`,
+    // `localSkill` so the Studio's bell dropdown can render tooltips and route
+    // smart clicks via `revealSkill` instead of guessing local fs identifiers
+    // from the canonical platform name.
     router.get("/api/skills/updates", async (req, res) => {
         try {
             const { getOutdatedJson } = await import("../commands/outdated.js");
+            const { scanSkillInstallLocations } = await import("./utils/scan-install-locations.js");
             const programmatic = await getOutdatedJson();
             if (!programmatic) {
                 sendJson(res, [], 200, req);
                 return;
             }
-            const enriched = programmatic.results.map((r) => ({
-                ...r,
-                ...(programmatic.pinMap.has(r.name)
-                    ? { pinned: true, pinnedVersion: programmatic.pinMap.get(r.name) }
-                    : {}),
-            }));
+            // 0747 AC-US4-06 + code-review F-004: per-request memoization keyed by
+            // canonical skill name. Each unique name is scanned exactly once even
+            // if it appears in multiple rows, so the syscall cost is O(unique
+            // names × agents × scopes), not O(rows × agents × scopes). For a
+            // typical /updates response every row has a distinct name, so this
+            // matches the previous one-call-per-row behavior on the happy path
+            // while giving a correct lower bound when names ever duplicate.
+            const scanCache = new Map();
+            const scanOnce = (name) => {
+                const hit = scanCache.get(name);
+                if (hit !== undefined)
+                    return hit;
+                const fresh = scanSkillInstallLocations(name, root);
+                scanCache.set(name, fresh);
+                return fresh;
+            };
+            const enriched = programmatic.results.map((r) => {
+                const locations = scanOnce(r.name);
+                const localSkill = r.name.split("/").pop();
+                // Highest-precedence install wins for the local fs pair the click
+                // handler reveals: project > personal > plugin.
+                const precedence = { project: 0, personal: 1, plugin: 2 };
+                const winner = [...locations].sort((a, b) => precedence[a.scope] -
+                    precedence[b.scope])[0];
+                return {
+                    ...r,
+                    ...(programmatic.pinMap.has(r.name)
+                        ? { pinned: true, pinnedVersion: programmatic.pinMap.get(r.name) }
+                        : {}),
+                    installLocations: locations,
+                    localSkill,
+                    ...(winner?.pluginSlug ? { localPlugin: winner.pluginSlug } : {}),
+                };
+            });
             sendJson(res, enriched, 200, req);
         }
         catch {
@@ -1637,18 +1671,66 @@ export function registerRoutes(router, root, projectName) {
         }
     });
     // T-011: Single-skill update SSE endpoint
+    //
+    // 0747 T-003: optional `?agent=<id>` query param scopes the update to a
+    // single agent's install. The id MUST be in AGENTS_REGISTRY (allowlist) —
+    // it is interpolated into the execSync command, so any non-allowlisted
+    // value is rejected before reaching the shell. Without `?agent`, behavior
+    // is unchanged and `vskill update` does its built-in cross-agent fan-out.
     router.post("/api/skills/:plugin/:skill/update", async (req, res, params) => {
         initSSE(res, req);
         const skillName = params.skill;
-        sendSSE(res, "progress", { status: "updating", skill: skillName });
+        // Parse optional ?agent=<id>
+        let agentId = null;
         try {
-            execSync(`vskill update ${skillName}`, {
+            const reqUrl = req.url ?? "";
+            const url = new URL(reqUrl, "http://localhost");
+            const raw = url.searchParams.get("agent");
+            if (raw !== null) {
+                const allowed = AGENTS_REGISTRY.some((a) => a.id === raw);
+                if (!allowed) {
+                    sendSSE(res, "error", {
+                        error: `Unknown agent id: ${raw}`,
+                        skill: skillName,
+                    });
+                    sendSSEDone(res, { status: "error", skill: skillName });
+                    return;
+                }
+                agentId = raw;
+            }
+        }
+        catch {
+            // URL parse error → behave as if ?agent was omitted
+        }
+        sendSSE(res, "progress", {
+            status: "updating",
+            skill: skillName,
+            ...(agentId ? { agent: agentId } : {}),
+        });
+        try {
+            // 0747 code-review F-001: use execFileSync with argv array — never
+            // shell-interpolate user-controlled values. skillName comes from a
+            // route param and could otherwise carry shell metacharacters via
+            // decodeURIComponent. agentId is allowlisted above; we still pass it
+            // as a separate arg for defense-in-depth.
+            const args = ["update", skillName];
+            if (agentId)
+                args.push("--agent", agentId);
+            execFileSync("vskill", args, {
                 timeout: 60_000,
                 encoding: "utf-8",
                 stdio: ["ignore", "pipe", "pipe"],
             });
-            sendSSE(res, "progress", { status: "done", skill: skillName });
-            sendSSEDone(res, { status: "done", skill: skillName });
+            sendSSE(res, "progress", {
+                status: "done",
+                skill: skillName,
+                ...(agentId ? { agent: agentId } : {}),
+            });
+            sendSSEDone(res, {
+                status: "done",
+                skill: skillName,
+                ...(agentId ? { agent: agentId } : {}),
+            });
         }
         catch (err) {
             sendSSE(res, "error", { error: err.message, skill: skillName });
@@ -1672,7 +1754,10 @@ export function registerRoutes(router, root, projectName) {
             for (const skill of skills) {
                 sendSSE(res, "skill:start", { skill });
                 try {
-                    execSync(`vskill update ${skill}`, {
+                    // 0747 code-review F-001 (defense-in-depth): batch endpoint also
+                    // shell-interpolated body.skills[]. Switch to execFileSync argv
+                    // form so request-body values can never reach the shell.
+                    execFileSync("vskill", ["update", skill], {
                         timeout: 60_000,
                         encoding: "utf-8",
                         stdio: ["ignore", "pipe", "pipe"],