npm - vskill - Versions diffs - 0.5.158 → 0.5.159 - Mend

vskill 0.5.158 → 0.5.159

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/agents.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "generatedAt": "2026-04-27T06:32:42.566Z",
+  "generatedAt": "2026-04-27T07:07:39.600Z",
   "agentPrefixes": [
     ".adal",
     ".agent",

package/dist/eval-server/api-routes.js CHANGED Viewed

@@ -2297,15 +2297,31 @@ export function registerRoutes(router, root, projectName) {
             sendJson(res, { error: `Failed to delete skill: ${err.message}` }, 500, req);
         }
     });
-    // 0780 — Uninstall an installed (lockfile-tracked) skill. Symmetric to
-    // `vskill install`: removes the lockfile entry AND trashes the on-disk
-    // dir. Idempotent on partially-removed installs (lockfile entry without
-    // disk dir, or vice versa). Returns 404 only when neither exists.
+    // 0780 / 0786 — Uninstall an installed (lockfile-tracked) skill. Symmetric
+    // to `vskill install`: removes the lockfile entry AND trashes the on-disk
+    // dir.
     //
     // Distinct from DELETE /api/skills/:plugin/:skill (which trashes
     // source-authored skills only and explicitly rejects installed copies):
     // this route is the canonical uninstall path for lockfile-tracked
     // installed skills.
+    //
+    // Response contract (revised by 0786 US-003):
+    //   400 invalid-skill-name        — skill name fails kebab-case regex
+    //   400 invalid-path              — path traversal attempt
+    //   422 not-installed             — lockfile has no entry for this skill
+    //                                   (caller should suggest Delete instead;
+    //                                   see App.tsx pendingUninstall onFailure)
+    //   500 lockfile-read-failed      — readLockfile threw
+    //   500 lockfile-write-failed     — writeLockfile threw after entry found
+    //   500 trash-failed              — OS trash of skill dir threw
+    //   200 ok                        — `{ removedFromLockfile, trashedDir }`
+    //
+    // The lockfile-first 422 check is the single security-relevant gate that
+    // prevents trashing a source-authored dir at .claude/skills/<name> that
+    // happens to exist but was never installed via the lockfile. The previous
+    // 404 fallback ("neither lockfile entry nor disk dir present") is no longer
+    // reachable and was removed.
     router.post("/api/skills/:plugin/:skill/uninstall", async (req, res, params) => {
         // Skill-name validation — same kebab-case regex used by skill-create
         // routes. Performed BEFORE any filesystem access to defang path-traversal
@@ -2337,14 +2353,14 @@ export function registerRoutes(router, root, projectName) {
             sendJson(res, { error: `Failed to read lockfile: ${err.message}`, code: "lockfile-read-failed" }, 500, req);
             return;
         }
-        const lockfileHasEntry = !!(lock && lock.skills && Object.prototype.hasOwnProperty.call(lock.skills, params.skill));
-        if (!lockfileHasEntry) {
+        if (!lock || !lock.skills || !Object.prototype.hasOwnProperty.call(lock.skills, params.skill)) {
             sendJson(res, {
                 error: `${params.skill} is not installed via the lockfile — uninstall is not applicable. For source-authored skills, use Delete instead.`,
                 code: "not-installed",
             }, 422, req);
             return;
         }
+        // Type-narrowed past this point: lock and lock.skills are both non-null.
         let removedFromLockfile = false;
         try {
             delete lock.skills[params.skill];