npm - vskill - Versions diffs - 0.5.126 → 0.5.128 - Mend

vskill 0.5.126 → 0.5.128

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/agents.json +1 -1
package/dist/bin.js +0 -0
package/dist/eval-server/api-routes.js +129 -12
package/dist/eval-server/api-routes.js.map +1 -1
package/dist/eval-server/install-engine-routes.js +1 -1
package/dist/eval-server/install-engine-routes.js.map +1 -1
package/dist/eval-server/utils/scan-install-locations.d.ts +18 -0
package/dist/eval-server/utils/scan-install-locations.js +136 -0
package/dist/eval-server/utils/scan-install-locations.js.map +1 -0
package/dist/eval-ui/assets/{CommandPalette-CBrGufxz.js → CommandPalette-D_MdwCki.js} +1 -1
package/dist/eval-ui/assets/{CreateSkillPage-DXrpM1On.js → CreateSkillPage-lLACfsOZ.js} +3 -3
package/dist/eval-ui/assets/{FindSkillsPalette-D99SoJx3.js → FindSkillsPalette-VTksFrSO.js} +2 -2
package/dist/eval-ui/assets/SearchPaletteCore-D49bVafl.js +14 -0
package/dist/eval-ui/assets/{SkillDetailPanel-DzmlOsAc.js → SkillDetailPanel-Cg8lyDAl.js} +1 -1
package/dist/eval-ui/assets/UpdateDropdown-CLt94M3u.js +1 -0
package/dist/eval-ui/assets/{index-BAN03ugM.css → index-C8DXCPPg.css} +1 -1
package/dist/eval-ui/assets/index-fbCfi37A.js +102 -0
package/dist/eval-ui/assets/{skill-url-lxDpBkBU.js → skill-url-DXjZASn-.js} +1 -1
package/dist/eval-ui/index.html +2 -2
package/dist/index.js +0 -0
package/package.json +1 -1
package/dist/agents/agents-registry.test.d.ts +0 -1
package/dist/agents/agents-registry.test.js +0 -248
package/dist/agents/agents-registry.test.js.map +0 -1
package/dist/api/client.test.d.ts +0 -1
package/dist/api/client.test.js +0 -428
package/dist/api/client.test.js.map +0 -1
package/dist/audit/audit-integration.test.d.ts +0 -1
package/dist/audit/audit-integration.test.js +0 -92
package/dist/audit/audit-integration.test.js.map +0 -1
package/dist/audit/audit-llm.test.d.ts +0 -1
package/dist/audit/audit-llm.test.js +0 -110
package/dist/audit/audit-llm.test.js.map +0 -1
package/dist/audit/audit-patterns.test.d.ts +0 -1
package/dist/audit/audit-patterns.test.js +0 -91
package/dist/audit/audit-patterns.test.js.map +0 -1
package/dist/audit/audit-scanner.test.d.ts +0 -1
package/dist/audit/audit-scanner.test.js +0 -112
package/dist/audit/audit-scanner.test.js.map +0 -1
package/dist/audit/audit-types.test.d.ts +0 -1
package/dist/audit/audit-types.test.js +0 -140
package/dist/audit/audit-types.test.js.map +0 -1
package/dist/audit/config.test.d.ts +0 -1
package/dist/audit/config.test.js +0 -44
package/dist/audit/config.test.js.map +0 -1
package/dist/audit/file-discovery.test.d.ts +0 -1
package/dist/audit/file-discovery.test.js +0 -120
package/dist/audit/file-discovery.test.js.map +0 -1
package/dist/audit/fix-suggestions.test.d.ts +0 -1
package/dist/audit/fix-suggestions.test.js +0 -35
package/dist/audit/fix-suggestions.test.js.map +0 -1
package/dist/audit/formatters/json-formatter.test.d.ts +0 -1
package/dist/audit/formatters/json-formatter.test.js +0 -49
package/dist/audit/formatters/json-formatter.test.js.map +0 -1
package/dist/audit/formatters/report-formatter.test.d.ts +0 -1
package/dist/audit/formatters/report-formatter.test.js +0 -51
package/dist/audit/formatters/report-formatter.test.js.map +0 -1
package/dist/audit/formatters/sarif-formatter.test.d.ts +0 -1
package/dist/audit/formatters/sarif-formatter.test.js +0 -71
package/dist/audit/formatters/sarif-formatter.test.js.map +0 -1
package/dist/audit/formatters/terminal-formatter.test.d.ts +0 -1
package/dist/audit/formatters/terminal-formatter.test.js +0 -51
package/dist/audit/formatters/terminal-formatter.test.js.map +0 -1
package/dist/blocklist/blocklist-e2e.test.d.ts +0 -1
package/dist/blocklist/blocklist-e2e.test.js +0 -346
package/dist/blocklist/blocklist-e2e.test.js.map +0 -1
package/dist/blocklist/blocklist.test.d.ts +0 -1
package/dist/blocklist/blocklist.test.js +0 -259
package/dist/blocklist/blocklist.test.js.map +0 -1
package/dist/commands/__tests__/eval-router.test.d.ts +0 -1
package/dist/commands/__tests__/eval-router.test.js +0 -60
package/dist/commands/__tests__/eval-router.test.js.map +0 -1
package/dist/commands/__tests__/eval-serve.test.d.ts +0 -1
package/dist/commands/__tests__/eval-serve.test.js +0 -23
package/dist/commands/__tests__/eval-serve.test.js.map +0 -1
package/dist/commands/add-blocklist-e2e.test.d.ts +0 -1
package/dist/commands/add-blocklist-e2e.test.js +0 -397
package/dist/commands/add-blocklist-e2e.test.js.map +0 -1
package/dist/commands/add-wizard.test.d.ts +0 -1
package/dist/commands/add-wizard.test.js +0 -392
package/dist/commands/add-wizard.test.js.map +0 -1
package/dist/commands/add.test.d.ts +0 -1
package/dist/commands/add.test.js +0 -2365
package/dist/commands/add.test.js.map +0 -1
package/dist/commands/audit.test.d.ts +0 -1
package/dist/commands/audit.test.js +0 -79
package/dist/commands/audit.test.js.map +0 -1
package/dist/commands/blocklist.test.d.ts +0 -1
package/dist/commands/blocklist.test.js +0 -158
package/dist/commands/blocklist.test.js.map +0 -1
package/dist/commands/eval/__tests__/coverage.test.d.ts +0 -1
package/dist/commands/eval/__tests__/coverage.test.js +0 -122
package/dist/commands/eval/__tests__/coverage.test.js.map +0 -1
package/dist/commands/eval/__tests__/generate-all.test.d.ts +0 -1
package/dist/commands/eval/__tests__/generate-all.test.js +0 -133
package/dist/commands/eval/__tests__/generate-all.test.js.map +0 -1
package/dist/commands/eval/__tests__/init.test.d.ts +0 -1
package/dist/commands/eval/__tests__/init.test.js +0 -116
package/dist/commands/eval/__tests__/init.test.js.map +0 -1
package/dist/commands/eval/__tests__/run.test.d.ts +0 -1
package/dist/commands/eval/__tests__/run.test.js +0 -186
package/dist/commands/eval/__tests__/run.test.js.map +0 -1
package/dist/commands/find.test.d.ts +0 -1
package/dist/commands/find.test.js +0 -481
package/dist/commands/find.test.js.map +0 -1
package/dist/commands/marketplace.test.d.ts +0 -1
package/dist/commands/marketplace.test.js +0 -129
package/dist/commands/marketplace.test.js.map +0 -1
package/dist/commands/remove.test.d.ts +0 -1
package/dist/commands/remove.test.js +0 -164
package/dist/commands/remove.test.js.map +0 -1
package/dist/commands/should-skip.test.d.ts +0 -1
package/dist/commands/should-skip.test.js +0 -56
package/dist/commands/should-skip.test.js.map +0 -1
package/dist/commands/submit.test.d.ts +0 -1
package/dist/commands/submit.test.js +0 -83
package/dist/commands/submit.test.js.map +0 -1
package/dist/commands/update.test.d.ts +0 -1
package/dist/commands/update.test.js +0 -250
package/dist/commands/update.test.js.map +0 -1
package/dist/discovery/github-tree.test.d.ts +0 -1
package/dist/discovery/github-tree.test.js +0 -372
package/dist/discovery/github-tree.test.js.map +0 -1
package/dist/eval/__tests__/activation-tester.test.d.ts +0 -1
package/dist/eval/__tests__/activation-tester.test.js +0 -203
package/dist/eval/__tests__/activation-tester.test.js.map +0 -1
package/dist/eval/__tests__/benchmark-history.test.d.ts +0 -1
package/dist/eval/__tests__/benchmark-history.test.js +0 -422
package/dist/eval/__tests__/benchmark-history.test.js.map +0 -1
package/dist/eval/__tests__/benchmark.test.d.ts +0 -1
package/dist/eval/__tests__/benchmark.test.js +0 -94
package/dist/eval/__tests__/benchmark.test.js.map +0 -1
package/dist/eval/__tests__/comparator.test.d.ts +0 -1
package/dist/eval/__tests__/comparator.test.js +0 -282
package/dist/eval/__tests__/comparator.test.js.map +0 -1
package/dist/eval/__tests__/judge.test.d.ts +0 -1
package/dist/eval/__tests__/judge.test.js +0 -122
package/dist/eval/__tests__/judge.test.js.map +0 -1
package/dist/eval/__tests__/llm.test.d.ts +0 -1
package/dist/eval/__tests__/llm.test.js +0 -543
package/dist/eval/__tests__/llm.test.js.map +0 -1
package/dist/eval/__tests__/mcp-detector.test.d.ts +0 -1
package/dist/eval/__tests__/mcp-detector.test.js +0 -180
package/dist/eval/__tests__/mcp-detector.test.js.map +0 -1
package/dist/eval/__tests__/prompt-builder.test.d.ts +0 -1
package/dist/eval/__tests__/prompt-builder.test.js +0 -142
package/dist/eval/__tests__/prompt-builder.test.js.map +0 -1
package/dist/eval/__tests__/schema.test.d.ts +0 -1
package/dist/eval/__tests__/schema.test.js +0 -247
package/dist/eval/__tests__/schema.test.js.map +0 -1
package/dist/eval/__tests__/skill-scanner.test.d.ts +0 -1
package/dist/eval/__tests__/skill-scanner.test.js +0 -228
package/dist/eval/__tests__/skill-scanner.test.js.map +0 -1
package/dist/eval/__tests__/verdict.test.d.ts +0 -1
package/dist/eval/__tests__/verdict.test.js +0 -47
package/dist/eval/__tests__/verdict.test.js.map +0 -1
package/dist/eval-server/__tests__/benchmark-runner.test.d.ts +0 -1
package/dist/eval-server/__tests__/benchmark-runner.test.js +0 -301
package/dist/eval-server/__tests__/benchmark-runner.test.js.map +0 -1
package/dist/eval-server/__tests__/comparison-sse-events.test.d.ts +0 -1
package/dist/eval-server/__tests__/comparison-sse-events.test.js +0 -278
package/dist/eval-server/__tests__/comparison-sse-events.test.js.map +0 -1
package/dist/eval-server/__tests__/sse-helpers.test.d.ts +0 -1
package/dist/eval-server/__tests__/sse-helpers.test.js +0 -128
package/dist/eval-server/__tests__/sse-helpers.test.js.map +0 -1
package/dist/eval-ui/assets/SearchPaletteCore-CnRYmTuv.js +0 -6
package/dist/eval-ui/assets/UpdateDropdown-BsAm4uMW.js +0 -1
package/dist/eval-ui/assets/index-BGQolxHD.js +0 -102
package/dist/installer/canonical.test.d.ts +0 -1
package/dist/installer/canonical.test.js +0 -264
package/dist/installer/canonical.test.js.map +0 -1
package/dist/lockfile/lockfile.test.d.ts +0 -1
package/dist/lockfile/lockfile.test.js +0 -204
package/dist/lockfile/lockfile.test.js.map +0 -1
package/dist/lockfile/project-root.test.d.ts +0 -1
package/dist/lockfile/project-root.test.js +0 -49
package/dist/lockfile/project-root.test.js.map +0 -1
package/dist/marketplace/marketplace.test.d.ts +0 -1
package/dist/marketplace/marketplace.test.js +0 -312
package/dist/marketplace/marketplace.test.js.map +0 -1
package/dist/resolvers/source-resolver.test.d.ts +0 -1
package/dist/resolvers/source-resolver.test.js +0 -104
package/dist/resolvers/source-resolver.test.js.map +0 -1
package/dist/resolvers/url-resolver.test.d.ts +0 -1
package/dist/resolvers/url-resolver.test.js +0 -49
package/dist/resolvers/url-resolver.test.js.map +0 -1
package/dist/scanner/dci-integration.test.d.ts +0 -1
package/dist/scanner/dci-integration.test.js +0 -83
package/dist/scanner/dci-integration.test.js.map +0 -1
package/dist/scanner/patterns.test.d.ts +0 -1
package/dist/scanner/patterns.test.js +0 -832
package/dist/scanner/patterns.test.js.map +0 -1
package/dist/scanner/tier1.test.d.ts +0 -1
package/dist/scanner/tier1.test.js +0 -305
package/dist/scanner/tier1.test.js.map +0 -1
package/dist/security/platform-security.test.d.ts +0 -1
package/dist/security/platform-security.test.js +0 -92
package/dist/security/platform-security.test.js.map +0 -1
package/dist/settings/settings.test.d.ts +0 -1
package/dist/settings/settings.test.js +0 -103
package/dist/settings/settings.test.js.map +0 -1
package/dist/updater/source-fetcher.test.d.ts +0 -1
package/dist/updater/source-fetcher.test.js +0 -192
package/dist/updater/source-fetcher.test.js.map +0 -1
package/dist/utils/__tests__/paths.test.d.ts +0 -1
package/dist/utils/__tests__/paths.test.js +0 -22
package/dist/utils/__tests__/paths.test.js.map +0 -1
package/dist/utils/__tests__/resolve-binary.integration.test.d.ts +0 -1
package/dist/utils/__tests__/resolve-binary.integration.test.js +0 -138
package/dist/utils/__tests__/resolve-binary.integration.test.js.map +0 -1
package/dist/utils/__tests__/resolve-binary.test.d.ts +0 -1
package/dist/utils/__tests__/resolve-binary.test.js +0 -175
package/dist/utils/__tests__/resolve-binary.test.js.map +0 -1
package/dist/utils/__tests__/validation.test.d.ts +0 -1
package/dist/utils/__tests__/validation.test.js +0 -107
package/dist/utils/__tests__/validation.test.js.map +0 -1
package/dist/utils/agent-filter.test.d.ts +0 -1
package/dist/utils/agent-filter.test.js +0 -75
package/dist/utils/agent-filter.test.js.map +0 -1
package/dist/utils/output.test.d.ts +0 -1
package/dist/utils/output.test.js +0 -28
package/dist/utils/output.test.js.map +0 -1
package/dist/utils/project-root.test.d.ts +0 -1
package/dist/utils/project-root.test.js +0 -74
package/dist/utils/project-root.test.js.map +0 -1
package/dist/utils/prompts.test.d.ts +0 -1
package/dist/utils/prompts.test.js +0 -285
package/dist/utils/prompts.test.js.map +0 -1

package/agents.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generatedAt": "2026-04-26T06:02:47.633Z",
+  "generatedAt": "2026-04-26T09:56:17.782Z",
   "agentPrefixes": [
     ".adal",
     ".agent",

package/dist/bin.js CHANGED Viewed

File without changes

package/dist/eval-server/api-routes.js CHANGED Viewed

@@ -2,7 +2,7 @@
 // api-routes.ts -- REST API route handlers for the eval UI
 // ---------------------------------------------------------------------------
 import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, statSync } from "node:fs";
-import { execSync } from "node:child_process";
+import { execSync, execFileSync } from "node:child_process";
 import { join, resolve, dirname, basename } from "node:path";
 import { homedir } from "node:os";
 import { sendJson, readBody } from "./router.js";
@@ -1510,20 +1510,54 @@ export function registerRoutes(router, root, projectName) {
     // directly instead of shelling out to whatever `vskill` is on PATH (which
     // may be a different version than the studio is bundling). This guarantees
     // the disk-version reconcile from outdated.ts is applied uniformly.
+    //
+    // 0747 T-002: enrich each row with `installLocations[]`, `localPlugin`,
+    // `localSkill` so the Studio's bell dropdown can render tooltips and route
+    // smart clicks via `revealSkill` instead of guessing local fs identifiers
+    // from the canonical platform name.
     router.get("/api/skills/updates", async (req, res) => {
         try {
             const { getOutdatedJson } = await import("../commands/outdated.js");
+            const { scanSkillInstallLocations } = await import("./utils/scan-install-locations.js");
             const programmatic = await getOutdatedJson();
             if (!programmatic) {
                 sendJson(res, [], 200, req);
                 return;
             }
-            const enriched = programmatic.results.map((r) => ({
-                ...r,
-                ...(programmatic.pinMap.has(r.name)
-                    ? { pinned: true, pinnedVersion: programmatic.pinMap.get(r.name) }
-                    : {}),
-            }));
+            // 0747 AC-US4-06 + code-review F-004: per-request memoization keyed by
+            // canonical skill name. Each unique name is scanned exactly once even
+            // if it appears in multiple rows, so the syscall cost is O(unique
+            // names × agents × scopes), not O(rows × agents × scopes). For a
+            // typical /updates response every row has a distinct name, so this
+            // matches the previous one-call-per-row behavior on the happy path
+            // while giving a correct lower bound when names ever duplicate.
+            const scanCache = new Map();
+            const scanOnce = (name) => {
+                const hit = scanCache.get(name);
+                if (hit !== undefined)
+                    return hit;
+                const fresh = scanSkillInstallLocations(name, root);
+                scanCache.set(name, fresh);
+                return fresh;
+            };
+            const enriched = programmatic.results.map((r) => {
+                const locations = scanOnce(r.name);
+                const localSkill = r.name.split("/").pop();
+                // Highest-precedence install wins for the local fs pair the click
+                // handler reveals: project > personal > plugin.
+                const precedence = { project: 0, personal: 1, plugin: 2 };
+                const winner = [...locations].sort((a, b) => precedence[a.scope] -
+                    precedence[b.scope])[0];
+                return {
+                    ...r,
+                    ...(programmatic.pinMap.has(r.name)
+                        ? { pinned: true, pinnedVersion: programmatic.pinMap.get(r.name) }
+                        : {}),
+                    installLocations: locations,
+                    localSkill,
+                    ...(winner?.pluginSlug ? { localPlugin: winner.pluginSlug } : {}),
+                };
+            });
             sendJson(res, enriched, 200, req);
         }
         catch {
@@ -1637,18 +1671,88 @@ export function registerRoutes(router, root, projectName) {
         }
     });
     // T-011: Single-skill update SSE endpoint
+    //
+    // 0747 T-003: optional `?agent=<id>` query param scopes the update to a
+    // single agent's install. The id MUST be in AGENTS_REGISTRY (allowlist) —
+    // it is interpolated into the execSync command, so any non-allowlisted
+    // value is rejected before reaching the shell. Without `?agent`, behavior
+    // is unchanged and `vskill update` does its built-in cross-agent fan-out.
+    // 0747 code-review/grill F-002: validate :skill route params against a
+    // strict slug regex. Without this, a value starting with `--` becomes a
+    // CLI flag instead of a positional arg (e.g. `vskill update --force`
+    // touches every skill including pinned ones). execFileSync prevents
+    // shell injection but Commander still parses argv. Allowed: alphanum,
+    // dot, underscore, hyphen, slash (for canonical owner/repo/skill names).
+    const SKILL_SLUG_RE = /^[a-zA-Z0-9._/-]+$/;
+    const isSafeSkillName = (s) => typeof s === "string" &&
+        s.length > 0 &&
+        s.length <= 200 &&
+        !s.startsWith("-") &&
+        SKILL_SLUG_RE.test(s);
     router.post("/api/skills/:plugin/:skill/update", async (req, res, params) => {
         initSSE(res, req);
         const skillName = params.skill;
-        sendSSE(res, "progress", { status: "updating", skill: skillName });
+        // 0747 grill F-002: reject before doing anything so a malformed slug
+        // can never reach Commander as a flag.
+        if (!isSafeSkillName(skillName)) {
+            sendSSE(res, "error", {
+                error: `Invalid skill name: ${skillName}`,
+                skill: skillName,
+            });
+            sendSSEDone(res, { status: "error", skill: skillName });
+            return;
+        }
+        // Parse optional ?agent=<id>
+        let agentId = null;
         try {
-            execSync(`vskill update ${skillName}`, {
+            const reqUrl = req.url ?? "";
+            const url = new URL(reqUrl, "http://localhost");
+            const raw = url.searchParams.get("agent");
+            if (raw !== null) {
+                const allowed = AGENTS_REGISTRY.some((a) => a.id === raw);
+                if (!allowed) {
+                    sendSSE(res, "error", {
+                        error: `Unknown agent id: ${raw}`,
+                        skill: skillName,
+                    });
+                    sendSSEDone(res, { status: "error", skill: skillName });
+                    return;
+                }
+                agentId = raw;
+            }
+        }
+        catch {
+            // URL parse error → behave as if ?agent was omitted
+        }
+        sendSSE(res, "progress", {
+            status: "updating",
+            skill: skillName,
+            ...(agentId ? { agent: agentId } : {}),
+        });
+        try {
+            // 0747 code-review F-001: use execFileSync with argv array — never
+            // shell-interpolate user-controlled values. skillName comes from a
+            // route param and could otherwise carry shell metacharacters via
+            // decodeURIComponent. agentId is allowlisted above; we still pass it
+            // as a separate arg for defense-in-depth.
+            const args = ["update", skillName];
+            if (agentId)
+                args.push("--agent", agentId);
+            execFileSync("vskill", args, {
                 timeout: 60_000,
                 encoding: "utf-8",
                 stdio: ["ignore", "pipe", "pipe"],
             });
-            sendSSE(res, "progress", { status: "done", skill: skillName });
-            sendSSEDone(res, { status: "done", skill: skillName });
+            sendSSE(res, "progress", {
+                status: "done",
+                skill: skillName,
+                ...(agentId ? { agent: agentId } : {}),
+            });
+            sendSSEDone(res, {
+                status: "done",
+                skill: skillName,
+                ...(agentId ? { agent: agentId } : {}),
+            });
         }
         catch (err) {
             sendSSE(res, "error", { error: err.message, skill: skillName });
@@ -1671,8 +1775,21 @@ export function registerRoutes(router, root, projectName) {
         try {
             for (const skill of skills) {
                 sendSSE(res, "skill:start", { skill });
+                // 0747 grill F-002: reject body.skills[] entries that could be
+                // misread by Commander as flags (e.g. `--force`).
+                if (!isSafeSkillName(skill)) {
+                    sendSSE(res, "skill:error", {
+                        skill,
+                        error: `Invalid skill name: ${skill}`,
+                    });
+                    failed++;
+                    continue;
+                }
                 try {
-                    execSync(`vskill update ${skill}`, {
+                    // 0747 code-review F-001 (defense-in-depth): batch endpoint also
+                    // shell-interpolated body.skills[]. Switch to execFileSync argv
+                    // form so request-body values can never reach the shell.
+                    execFileSync("vskill", ["update", skill], {
                         timeout: 60_000,
                         encoding: "utf-8",
                         stdio: ["ignore", "pipe", "pipe"],