vskill 1.0.13 → 1.0.15

package/dist/eval-server/install-engine-routes-helpers.js

@@ -2,24 +2,16 @@
 // install-engine-routes-helpers.ts — extracted prerequisite-CLI lookup so it
 // can be mocked independently of node:child_process in unit tests.
 // Ref: 0734 AC-US5-02
+//
+// Now a thin re-export of the shared `whichSync` helper; the previous
+// inline `spawnSync`-based implementation lives in utils/which.ts.
 // ---------------------------------------------------------------------------
-import { spawnSync } from "node:child_process";
+import { whichSync } from "./utils/which.js";
 /**
  * Returns true when `cmd` resolves to an executable on PATH.
- *
- * Uses `which` (POSIX) / `where` (Windows). Pure best-effort: any failure to
- * spawn the lookup process is treated as "not available".
+ * Uses `which` / `where` under the hood with metacharacter guard + cache.
  */
 export function isCliAvailable(cmd) {
-    if (!cmd || /[^a-zA-Z0-9_-]/.test(cmd))
-        return false; // hard guard against shell metacharacters
-    const lookup = process.platform === "win32" ? "where" : "which";
-    try {
-        const res = spawnSync(lookup, [cmd], { stdio: "ignore" });
-        return res.status === 0;
-    }
-    catch {
-        return false;
-    }
+    return whichSync(cmd);
 }
 //# sourceMappingURL=install-engine-routes-helpers.js.map

package/dist/eval-server/install-engine-routes-helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"install-engine-routes-helpers.js","sourceRoot":"","sources":["../../src/eval-server/install-engine-routes-helpers.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,mEAAmE;AACnE,sBAAsB;AACtB,8EAA8E;AAE9E,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,CAAC,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,0CAA0C;IAEhG,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC1D,OAAO,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"install-engine-routes-helpers.js","sourceRoot":"","sources":["../../src/eval-server/install-engine-routes-helpers.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,6EAA6E;AAC7E,mEAAmE;AACnE,sBAAsB;AACtB,EAAE;AACF,sEAAsE;AACtE,mEAAmE;AACnE,8EAA8E;AAE9E,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC"}

package/dist/eval-server/origin-resolver.d.ts

@@ -0,0 +1,42 @@
+export type OriginSource = "platform" | "anthropic-registry" | "local";
+export type OriginProvider = "vskill" | "anthropic" | "local";
+export interface OriginEnvelope {
+    source: OriginSource;
+    owner: string | null;
+    repo: string | null;
+    provider: OriginProvider;
+    trackedForUpdates: boolean;
+    /** Lockfile dir that produced the hit (for debugging). */
+    lockfilePath?: string;
+    /** Frontmatter source string when Tier 3 hits (debug). */
+    frontmatterSource?: string;
+    /** Registry key when Tier 4 hits (debug). */
+    registryMatch?: string;
+}
+/**
+ * Well-known Anthropic-shipped skills. Mapped to their canonical
+ * `anthropics/skills/<name>` upstream (the verified-skill.com URL pattern
+ * for skills published from the `anthropics/skills` GitHub repo) so the
+ * Versions tab can fetch upstream history even when the skill arrived
+ * without a vskill lockfile entry.
+ *
+ * Verified live (2026-05-01): `https://verified-skill.com/api/v1/skills/anthropics/skills/pptx/versions`
+ * returns `{ versions, count, unversioned, currentVersion }` JSON. The
+ * `anthropic-skills/<name>` pattern (with hyphen) returns 404.
+ *
+ * Maintained as a hand-curated list. Add new names as Anthropic ships them.
+ */
+export declare const ANTHROPIC_SKILL_REGISTRY: Record<string, {
+    owner: string;
+    repo: string;
+}>;
+/** Test-only: clear the in-process cache between cases. */
+export declare function resetOriginResolverCache(): void;
+/**
+ * Resolve a skill's full provenance envelope.
+ *
+ * @param skill — bare skill slug (e.g. "slack-messaging")
+ * @param plugin — the plugin/agent dir the skill is mounted under (e.g. ".claude")
+ * @param root — the studio process cwd (project root)
+ */
+export declare function resolveSkillOrigin(skill: string, plugin: string | null, root: string): Promise<OriginEnvelope>;

package/dist/eval-server/origin-resolver.js

@@ -0,0 +1,168 @@
+// 0823 — Comprehensive Origin Resolver for Skill Provenance.
+//
+// Determines where a skill came from so the Versions tab + rescan can fetch
+// upstream version history. Walks five tiers; first hit wins.
+//
+//   (1) project lockfile     `<root>/vskill.lock`
+//   (2) user-global lockfile `~/.agents/vskill.lock`
+//   (3) frontmatter `source:` field in SKILL.md (deferred — present in interface,
+//       wired in a follow-up; today this tier is reserved and falls through.)
+//   (4) Anthropic-skill registry (well-known names → anthropics/skills/<name>)
+//       — see ANTHROPIC_SKILL_REGISTRY below. Verified-live URL pattern.
+//   (5) bare-name fallback / unknown (provider="local", no upstream)
+//
+// IMPORTANT: cache resolved envelopes to avoid repeated lockfile reads, but
+// DO NOT cache the "local" fallback — a future install would otherwise be
+// invisible until studio restart.
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { readLockfile } from "../lockfile/lockfile.js";
+import { parseSource } from "../resolvers/source-resolver.js";
+/**
+ * Well-known Anthropic-shipped skills. Mapped to their canonical
+ * `anthropics/skills/<name>` upstream (the verified-skill.com URL pattern
+ * for skills published from the `anthropics/skills` GitHub repo) so the
+ * Versions tab can fetch upstream history even when the skill arrived
+ * without a vskill lockfile entry.
+ *
+ * Verified live (2026-05-01): `https://verified-skill.com/api/v1/skills/anthropics/skills/pptx/versions`
+ * returns `{ versions, count, unversioned, currentVersion }` JSON. The
+ * `anthropic-skills/<name>` pattern (with hyphen) returns 404.
+ *
+ * Maintained as a hand-curated list. Add new names as Anthropic ships them.
+ */
+export const ANTHROPIC_SKILL_REGISTRY = {
+    "slack-messaging": { owner: "anthropics", repo: "skills" },
+    pptx: { owner: "anthropics", repo: "skills" },
+    "excalidraw-diagram-generator": { owner: "anthropics", repo: "skills" },
+    "excalidraw-skill": { owner: "anthropics", repo: "skills" },
+    "frontend-design": { owner: "anthropics", repo: "skills" },
+    gws: { owner: "anthropics", repo: "skills" },
+    "remotion-best-practices": { owner: "anthropics", repo: "skills" },
+    "social-media-posting": { owner: "anthropics", repo: "skills" },
+    "webapp-testing": { owner: "anthropics", repo: "skills" },
+    "obsidian-brain": { owner: "anthropics", repo: "skills" },
+    nanobanana: { owner: "anthropics", repo: "skills" },
+    pdf: { owner: "anthropics", repo: "skills" },
+    docx: { owner: "anthropics", repo: "skills" },
+    xlsx: { owner: "anthropics", repo: "skills" },
+    "skill-creator": { owner: "anthropics", repo: "skills" },
+};
+// 0823 simplify: cap the cache so a long-lived studio process polling many
+// distinct (plugin, skill) combinations doesn't grow unboundedly. The Map's
+// insertion-order semantics give us cheap LRU-ish eviction: when we exceed
+// MAX_CACHE_ENTRIES, drop the oldest entries until under the soft limit.
+const MAX_CACHE_ENTRIES = 1000;
+const PRUNE_TARGET = 500;
+const cache = new Map();
+function setCacheEntry(key, value) {
+    cache.set(key, value);
+    if (cache.size > MAX_CACHE_ENTRIES) {
+        const dropCount = cache.size - PRUNE_TARGET;
+        let i = 0;
+        for (const k of cache.keys()) {
+            if (i++ >= dropCount)
+                break;
+            cache.delete(k);
+        }
+    }
+}
+/** Test-only: clear the in-process cache between cases. */
+export function resetOriginResolverCache() {
+    cache.clear();
+}
+function tryLockfileTier(skill, dir) {
+    let lock;
+    try {
+        lock = readLockfile(dir);
+    }
+    catch {
+        return null;
+    }
+    const entry = lock?.skills?.[skill];
+    if (!entry?.source)
+        return null;
+    let parsed;
+    try {
+        parsed = parseSource(entry.source);
+    }
+    catch {
+        return null;
+    }
+    if ((parsed.type === "github" ||
+        parsed.type === "github-plugin" ||
+        parsed.type === "marketplace") &&
+        parsed.owner &&
+        parsed.repo) {
+        return { owner: parsed.owner, repo: parsed.repo };
+    }
+    return null;
+}
+/**
+ * Resolve a skill's full provenance envelope.
+ *
+ * @param skill — bare skill slug (e.g. "slack-messaging")
+ * @param plugin — the plugin/agent dir the skill is mounted under (e.g. ".claude")
+ * @param root — the studio process cwd (project root)
+ */
+export async function resolveSkillOrigin(skill, plugin, root) {
+    const cacheKey = `${plugin ?? ""}::${skill}`;
+    const cached = cache.get(cacheKey);
+    if (cached)
+        return cached;
+    // Tier 1 — project lockfile
+    const projectHit = tryLockfileTier(skill, root);
+    if (projectHit) {
+        const env = {
+            source: "platform",
+            owner: projectHit.owner,
+            repo: projectHit.repo,
+            provider: "vskill",
+            trackedForUpdates: true,
+            lockfilePath: root,
+        };
+        setCacheEntry(cacheKey, env);
+        return env;
+    }
+    // Tier 2 — user-global lockfile (~/.agents/vskill.lock)
+    const globalDir = join(homedir(), ".agents");
+    const globalHit = tryLockfileTier(skill, globalDir);
+    if (globalHit) {
+        const env = {
+            source: "platform",
+            owner: globalHit.owner,
+            repo: globalHit.repo,
+            provider: "vskill",
+            trackedForUpdates: true,
+            lockfilePath: globalDir,
+        };
+        setCacheEntry(cacheKey, env);
+        return env;
+    }
+    // Tier 3 — frontmatter `source:` field. Reserved; not yet wired (no
+    // installed-skill writes a frontmatter origin today). Tier-skipped silently.
+    // Tier 4 — Anthropic-skill registry
+    const registryHit = ANTHROPIC_SKILL_REGISTRY[skill];
+    if (registryHit) {
+        const env = {
+            source: "anthropic-registry",
+            owner: registryHit.owner,
+            repo: registryHit.repo,
+            provider: "anthropic",
+            trackedForUpdates: true,
+            registryMatch: skill,
+        };
+        setCacheEntry(cacheKey, env);
+        return env;
+    }
+    // Tier 5 — local / unknown. NOT cached so a future install becomes visible
+    // without a studio restart.
+    return {
+        source: "local",
+        owner: null,
+        repo: null,
+        provider: "local",
+        trackedForUpdates: false,
+    };
+}
+//# sourceMappingURL=origin-resolver.js.map

package/dist/eval-server/origin-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin-resolver.js","sourceRoot":"","sources":["../../src/eval-server/origin-resolver.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,4EAA4E;AAC5E,8DAA8D;AAC9D,EAAE;AACF,kDAAkD;AAClD,qDAAqD;AACrD,kFAAkF;AAClF,8EAA8E;AAC9E,+EAA+E;AAC/E,yEAAyE;AACzE,qEAAqE;AACrE,EAAE;AACF,4EAA4E;AAC5E,0EAA0E;AAC1E,kCAAkC;AAElC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAmB9D;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAoD;IACvF,iBAAiB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC1D,IAAI,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC7C,8BAA8B,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IACvE,kBAAkB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC3D,iBAAiB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC1D,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC5C,yBAAyB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAClE,sBAAsB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC/D,gBAAgB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IACzD,gBAAgB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IACzD,UAAU,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IACnD,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC5C,IAAI,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC7C,IAAI,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;IAC7C,eAAe,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE;CACzD,CAAC;AAEF,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,yEAAyE;AACzE,MAAM,iBAAiB,GAAG,IAAI,CAAC;AAC/B,MAAM,YAAY,GAAG,GAAG,CAAC;AACzB,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;AAEhD,SAAS,aAAa,CAAC,GAAW,EAAE,KAAqB;IACvD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtB,IAAI,KAAK,CAAC,IAAI,GAAG,iBAAiB,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,GAAG,YAAY,CAAC;QAC5C,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7B,IAAI,CAAC,EAAE,IAAI,SAAS;gBAAE,MAAM;YAC5B,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,wBAAwB;IACtC,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CACtB,KAAa,EACb,GAAW;IAEX,IAAI,IAAI,CAAC;IACT,IAAI,CAAC;QACH,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ;QACvB,MAAM,CAAC,IAAI,KAAK,eAAe;QAC/B,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC;QAChC,MAAM,CAAC,KAAK;QACZ,MAAM,CAAC,IAAI,EACX,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,MAAqB,EACrB,IAAY;IAEZ,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,4BAA4B;IAC5B,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAChD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,GAAG,GAAmB;YAC1B,MAAM,EAAE,UAAU;YAClB,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,QAAQ,EAAE,QAAQ;YAClB,iBAAiB,EAAE,IAAI;YACvB,YAAY,EAAE,IAAI;SACnB,CAAC;QACF,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IACpD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,GAAG,GAAmB;YAC1B,MAAM,EAAE,UAAU;YAClB,KAAK,EAAE,SAAS,CAAC,KAAK;YACtB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,QAAQ,EAAE,QAAQ;YAClB,iBAAiB,EAAE,IAAI;YACvB,YAAY,EAAE,SAAS;SACxB,CAAC;QACF,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,oEAAoE;IACpE,6EAA6E;IAE7E,oCAAoC;IACpC,MAAM,WAAW,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;IACpD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,GAAG,GAAmB;YAC1B,MAAM,EAAE,oBAAoB;YAC5B,KAAK,EAAE,WAAW,CAAC,KAAK;YACxB,IAAI,EAAE,WAAW,CAAC,IAAI;YACtB,QAAQ,EAAE,WAAW;YACrB,iBAAiB,EAAE,IAAI;YACvB,aAAa,EAAE,KAAK;SACrB,CAAC;QACF,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,2EAA2E;IAC3E,4BAA4B;IAC5B,OAAO;QACL,MAAM,EAAE,OAAO;QACf,KAAK,EAAE,IAAI;QACX,IAAI,EAAE,IAAI;QACV,QAAQ,EAAE,OAAO;QACjB,iBAAiB,EAAE,KAAK;KACzB,CAAC;AACJ,CAAC"}

package/dist/eval-server/platform-proxy.d.ts

@@ -1,6 +1,16 @@
 import * as http from "node:http";
 export declare function getPlatformBaseUrl(): string;
 export declare function shouldProxyToPlatform(url: string | undefined): boolean;
+export declare function shouldInjectAuth(url: string | undefined): boolean;
+/** Test-only reset hook. */
+export declare function _resetPlatformProxyAuthCacheForTests(): void;
+export interface PickHeadersOptions {
+    /** Request path (e.g. "/api/v1/tenants/abc/skills"). */
+    path?: string;
+    /** Token provider override; defaults to in-process cached keychain read. */
+    tokenProvider?: () => string | null;
+}
+export declare function pickHeadersForUpstream(src: http.IncomingHttpHeaders, opts?: PickHeadersOptions): Record<string, string>;
 /**
  * Proxy a single HTTP request from the studio to the platform.
  * SSE-safe: streams the upstream body chunks directly to the response so

package/dist/eval-server/platform-proxy.js

@@ -50,6 +50,7 @@
 import * as http from "node:http";
 import * as https from "node:https";
 import { randomUUID } from "node:crypto";
+import { getDefaultKeychain } from "../lib/keychain.js";
 const DEFAULT_PLATFORM_URL = "https://verified-skill.com";
 // Hop-by-hop headers per RFC 2616 §13.5.1 — never forward these on a proxy.
 const HOP_BY_HOP = new Set([
@@ -88,24 +89,79 @@ const PROXY_PREFIXES = [
     "/api/v1/studio/search",
     "/api/v1/studio/telemetry/",
     "/api/v1/stats",
+    // Private (org-scoped) routes that must carry the user's GitHub bearer token
+    // to the platform. The browser never sees this token; injection happens here.
+    "/api/v1/private/",
+    "/api/v1/tenants/",
+];
+/**
+ * Path prefixes that require an `Authorization: Bearer <github-token>` header
+ * to be injected at the proxy boundary. Public skill routes are intentionally
+ * excluded — they must remain anonymous so unauthenticated tabs continue to
+ * function in the public skill catalog.
+ */
+const AUTH_REQUIRED_PREFIXES = [
+    "/api/v1/private/",
+    "/api/v1/tenants/",
 ];
 export function shouldProxyToPlatform(url) {
     if (!url)
         return false;
     return PROXY_PREFIXES.some((p) => url.startsWith(p));
 }
-function pickHeadersForUpstream(src) {
+export function shouldInjectAuth(url) {
+    if (!url)
+        return false;
+    return AUTH_REQUIRED_PREFIXES.some((p) => url.startsWith(p));
+}
+// In-process token cache so a burst of proxy requests doesn't repeatedly hit
+// the OS keychain. The keychain itself is fast on macOS but can be slower on
+// Linux libsecret. 60s aligns with how stale a manual `vskill auth login`
+// → `vskill studio refresh` loop would feel.
+let _cachedToken = null;
+const TOKEN_CACHE_MS = 60_000;
+function readTokenForProxy(now = Date.now()) {
+    if (_cachedToken && _cachedToken.expiresAt > now)
+        return _cachedToken.value;
+    let token = null;
+    try {
+        token = getDefaultKeychain().getGitHubToken();
+    }
+    catch {
+        token = null;
+    }
+    _cachedToken = { value: token, expiresAt: now + TOKEN_CACHE_MS };
+    return token;
+}
+/** Test-only reset hook. */
+export function _resetPlatformProxyAuthCacheForTests() {
+    _cachedToken = null;
+}
+export function pickHeadersForUpstream(src, opts = {}) {
     const out = {};
     for (const [k, v] of Object.entries(src)) {
         if (typeof v === "undefined")
             continue;
         if (HOP_BY_HOP.has(k.toLowerCase()))
             continue;
+        // Strip any client-supplied Authorization on private/tenant paths — we
+        // mint our own from the keychain. On other paths we pass through (the
+        // existing public proxy never carried Authorization, so this is a no-op).
+        if (k.toLowerCase() === "authorization" && opts.path && shouldInjectAuth(opts.path)) {
+            continue;
+        }
         out[k] = Array.isArray(v) ? v.join(", ") : String(v);
     }
     // Preserve client-IP intent for any future platform-side observability.
     const xff = out["x-forwarded-for"];
     out["x-forwarded-for"] = xff ? `${xff}, 127.0.0.1` : "127.0.0.1";
+    if (opts.path && shouldInjectAuth(opts.path)) {
+        const tokenProvider = opts.tokenProvider ?? (() => readTokenForProxy());
+        const token = tokenProvider();
+        if (token) {
+            out["authorization"] = `Bearer ${token}`;
+        }
+    }
     return out;
 }
 function pickHeadersForDownstream(src) {
@@ -138,7 +194,7 @@ export function proxyToPlatform(req, res, baseUrl = getPlatformBaseUrl()) {
             port: target.port || (target.protocol === "https:" ? 443 : 80),
             path: `${target.pathname}${target.search}`,
             method: req.method,
-            headers: pickHeadersForUpstream(req.headers),
+            headers: pickHeadersForUpstream(req.headers, { path: target.pathname }),
         }, (upstreamRes) => {
             const status = upstreamRes.statusCode ?? 502;
             const headers = pickHeadersForDownstream(upstreamRes.headers);

package/dist/eval-server/platform-proxy.js.map

@@ -1 +1 @@
-{"version":3,"file":"platform-proxy.js","sourceRoot":"","sources":["../../src/eval-server/platform-proxy.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,2EAA2E;AAC3E,2EAA2E;AAC3E,2EAA2E;AAC3E,gDAAgD;AAChD,EAAE;AACF,iFAAiF;AACjF,wEAAwE;AACxE,2EAA2E;AAC3E,yEAAyE;AACzE,0EAA0E;AAC1E,yEAAyE;AACzE,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,4BAA4B;AAC5B,EAAE;AACF,gBAAgB;AAChB,wEAAwE;AACxE,2EAA2E;AAC3E,kFAAkF;AAClF,4DAA4D;AAC5D,yEAAyE;AACzE,wEAAwE;AACxE,0EAA0E;AAC1E,oCAAoC;AACpC,oEAAoE;AACpE,4CAA4C;AAC5C,mEAAmE;AACnE,qEAAqE;AACrE,0CAA0C;AAC1C,EAAE;AACF,yDAAyD;AACzD,0DAA0D;AAC1D,2EAA2E;AAC3E,2EAA2E;AAC3E,8EAA8E;AAC9E,qEAAqE;AACrE,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,EAAE;AACF,0EAA0E;AAC1E,sEAAsE;AACtE,yEAAyE;AACzE,8EAA8E;AAE9E,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,oBAAoB,GAAG,4BAA4B,CAAC;AAE1D,4EAA4E;AAC5E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;IACN,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,UAAU,kBAAkB;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,cAAc,GAAG;IACrB,iBAAiB;IACjB,uBAAuB;IACvB,2BAA2B;IAC3B,eAAe;CACP,CAAC;AAEX,MAAM,UAAU,qBAAqB,CAAC,GAAuB;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,sBAAsB,CAC7B,GAA6B;IAE7B,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,WAAW;YAAE,SAAS;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QAC9C,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,wEAAwE;IACxE,MAAM,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACnC,GAAG,CAAC,iBAAiB,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC;IACjE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,wBAAwB,CAC/B,GAA6B;IAE7B,MAAM,GAAG,GAAsC,EAAE,CAAC;IAClD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,WAAW;YAAE,SAAS;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QAC9C,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACb,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAyB,EACzB,GAAwB,EACxB,UAAkB,kBAAkB,EAAE;IAEtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CACnC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,IAAI,EAAE,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE;YAC1C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC;SAC7C,EACD,CAAC,WAAW,EAAE,EAAE;YACd,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,IAAI,GAAG,CAAC;YAC7C,MAAM,OAAO,GAAG,wBAAwB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAI,CAAC;gBACH,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,mCAAmC;YACrC,CAAC;YACD,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACvC,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBAC3B,IAAI,CAAC,GAAG,CAAC,aAAa;oBAAE,GAAG,CAAC,GAAG,EAAE,CAAC;gBAClC,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC,CACF,CAAC;QAEF,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC9B,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;gBACvB,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,sBAAsB;oBAC7B,OAAO,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE;oBACvD,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,CAAC,CACH,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,uEAAuE;QACvE,gEAAgE;QAChE,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC;gBACH,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,gEAAgE;QAChE,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC;AAgCD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAkC,EAClC,OAA6E,EAAE;IAE/E,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC3E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,EAAE,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG;QACZ,IAAI,EAAE,eAAwB;QAC9B,OAAO;QACP,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE;QAC1D,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC1D,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjE,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,GAAG,OAAO,iCAAiC,EAAE;YACxE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gBAAgB,EAAE,WAAW;aAC9B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC5B,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;QAC3D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/C,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,UAAU;SACjC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,gBAAgB;YACxB,OAAO,EAAG,GAAa,CAAC,OAAO;SAChC,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"platform-proxy.js","sourceRoot":"","sources":["../../src/eval-server/platform-proxy.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,2EAA2E;AAC3E,2EAA2E;AAC3E,2EAA2E;AAC3E,gDAAgD;AAChD,EAAE;AACF,iFAAiF;AACjF,wEAAwE;AACxE,2EAA2E;AAC3E,yEAAyE;AACzE,0EAA0E;AAC1E,yEAAyE;AACzE,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,4BAA4B;AAC5B,EAAE;AACF,gBAAgB;AAChB,wEAAwE;AACxE,2EAA2E;AAC3E,kFAAkF;AAClF,4DAA4D;AAC5D,yEAAyE;AACzE,wEAAwE;AACxE,0EAA0E;AAC1E,oCAAoC;AACpC,oEAAoE;AACpE,4CAA4C;AAC5C,mEAAmE;AACnE,qEAAqE;AACrE,0CAA0C;AAC1C,EAAE;AACF,yDAAyD;AACzD,0DAA0D;AAC1D,2EAA2E;AAC3E,2EAA2E;AAC3E,8EAA8E;AAC9E,qEAAqE;AACrE,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,EAAE;AACF,0EAA0E;AAC1E,sEAAsE;AACtE,yEAAyE;AACzE,8EAA8E;AAE9E,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,oBAAoB,GAAG,4BAA4B,CAAC;AAE1D,4EAA4E;AAC5E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,YAAY;IACZ,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,UAAU;IACV,mBAAmB;IACnB,SAAS;IACT,MAAM;IACN,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,UAAU,kBAAkB;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,cAAc,GAAG;IACrB,iBAAiB;IACjB,uBAAuB;IACvB,2BAA2B;IAC3B,eAAe;IACf,6EAA6E;IAC7E,8EAA8E;IAC9E,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAEX;;;;;GAKG;AACH,MAAM,sBAAsB,GAAG;IAC7B,kBAAkB;IAClB,kBAAkB;CACV,CAAC;AAEX,MAAM,UAAU,qBAAqB,CAAC,GAAuB;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAuB;IACtD,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,6EAA6E;AAC7E,6EAA6E;AAC7E,0EAA0E;AAC1E,6CAA6C;AAC7C,IAAI,YAAY,GAAuD,IAAI,CAAC;AAC5E,MAAM,cAAc,GAAG,MAAM,CAAC;AAE9B,SAAS,iBAAiB,CAAC,MAAc,IAAI,CAAC,GAAG,EAAE;IACjD,IAAI,YAAY,IAAI,YAAY,CAAC,SAAS,GAAG,GAAG;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC;IAC5E,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,CAAC;QACH,KAAK,GAAG,kBAAkB,EAAE,CAAC,cAAc,EAAE,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IACD,YAAY,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,GAAG,cAAc,EAAE,CAAC;IACjE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4BAA4B;AAC5B,MAAM,UAAU,oCAAoC;IAClD,YAAY,GAAG,IAAI,CAAC;AACtB,CAAC;AASD,MAAM,UAAU,sBAAsB,CACpC,GAA6B,EAC7B,OAA2B,EAAE;IAE7B,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,WAAW;YAAE,SAAS;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QAC9C,uEAAuE;QACvE,sEAAsE;QACtE,0EAA0E;QAC1E,IAAI,CAAC,CAAC,WAAW,EAAE,KAAK,eAAe,IAAI,IAAI,CAAC,IAAI,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpF,SAAS;QACX,CAAC;QACD,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,wEAAwE;IACxE,MAAM,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACnC,GAAG,CAAC,iBAAiB,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC;IAEjE,IAAI,IAAI,CAAC,IAAI,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,GAAG,EAAE,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACxE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,IAAI,KAAK,EAAE,CAAC;YACV,GAAG,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,wBAAwB,CAC/B,GAA6B;IAE7B,MAAM,GAAG,GAAsC,EAAE,CAAC;IAClD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,WAAW;YAAE,SAAS;QACvC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QAC9C,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACb,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAyB,EACzB,GAAwB,EACxB,UAAkB,kBAAkB,EAAE;IAEtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9D,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CACnC;YACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,IAAI,EAAE,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE;YAC1C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;SACxE,EACD,CAAC,WAAW,EAAE,EAAE;YACd,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,IAAI,GAAG,CAAC;YAC7C,MAAM,OAAO,GAAG,wBAAwB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC9D,IAAI,CAAC;gBACH,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,mCAAmC;YACrC,CAAC;YACD,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACvC,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBAC3B,IAAI,CAAC,GAAG,CAAC,aAAa;oBAAE,GAAG,CAAC,GAAG,EAAE,CAAC;gBAClC,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC,CACF,CAAC;QAEF,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC9B,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;gBACvB,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,sBAAsB;oBAC7B,OAAO,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE;oBACvD,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,CAAC,CACH,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,uEAAuE;QACvE,gEAAgE;QAChE,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC;gBACH,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,gEAAgE;QAChE,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC;AAgCD,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAkC,EAClC,OAA6E,EAAE;IAE/E,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC3E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,EAAE,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG;QACZ,IAAI,EAAE,eAAwB;QAC9B,OAAO;QACP,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE;QAC1D,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC1D,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjE,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,GAAG,OAAO,iCAAiC,EAAE;YACxE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,gBAAgB,EAAE,WAAW;aAC9B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC5B,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;QAC3D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/C,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,UAAU;SACjC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,MAAM,EAAE,gBAAgB;YACxB,OAAO,EAAG,GAAa,CAAC,OAAO;SAChC,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/eval-server/skill-create-routes.d.ts

@@ -126,6 +126,14 @@ export declare function interpretValidatorResult(skillPath: string, res: SpawnRe
  * helper trivially testable.
  */
 export declare function formatValidatorReport(outcome: ValidatorOutcome): string;
+/** Compute target directory for a new skill based on layout */
+export declare function resolveSafe(base: string, relPath: string): string;
+/**
+ * Build a `.env.example` body from a list of secret env-var names. Each line
+ * is `NAME=` with no value — the file ships placeholders only, never real
+ * secrets. Caller is responsible for including a leading comment if desired.
+ */
+export declare function buildEnvExample(secrets: string[]): string;
 /**
  * Check if a resolved path is strictly within a root directory.
  * Uses trailing separator to prevent prefix collision (e.g., /project vs /project-evil).

package/dist/eval-server/skill-create-routes.js

@@ -412,6 +412,55 @@ export function formatValidatorReport(outcome) {
     }
 }
 /** Compute target directory for a new skill based on layout */
+// ---------------------------------------------------------------------------
+// 0815: path safety + .env.example helpers for multi-file skill creation.
+//
+// resolveSafe rejects any path that would escape the skill directory: absolute
+// paths, drive letters, '..' segments, and relative paths whose resolved form
+// lands outside `base`. Used by POST /api/skills/create when looping the
+// optional `files` map. Throws so the route returns 400.
+// ---------------------------------------------------------------------------
+export function resolveSafe(base, relPath) {
+    if (typeof relPath !== "string" || relPath.length === 0) {
+        throw new Error(`resolveSafe: empty path`);
+    }
+    // Reject absolute paths (POSIX) and Windows drive letters.
+    if (relPath.startsWith("/") || /^[a-zA-Z]:[\\/]/.test(relPath)) {
+        throw new Error(`resolveSafe: refused absolute path '${relPath}'`);
+    }
+    // Reject any '..' segment — easier to reason about than relying on resolve()
+    // alone, since a benign-looking resolve result can still hide a traversal
+    // depending on the realpath of `base`.
+    const segments = relPath.split(/[/\\]+/);
+    if (segments.some((s) => s === "..")) {
+        throw new Error(`resolveSafe: refused traversal in '${relPath}'`);
+    }
+    const resolved = resolve(base, relPath);
+    const baseResolved = resolve(base);
+    // Defense in depth: ensure the resolved path is still inside base.
+    if (resolved !== baseResolved && !resolved.startsWith(baseResolved + sep)) {
+        throw new Error(`resolveSafe: path '${relPath}' escapes base`);
+    }
+    return resolved;
+}
+/**
+ * Build a `.env.example` body from a list of secret env-var names. Each line
+ * is `NAME=` with no value — the file ships placeholders only, never real
+ * secrets. Caller is responsible for including a leading comment if desired.
+ */
+export function buildEnvExample(secrets) {
+    const lines = [
+        "# .env.example — populated by the skill author, never committed.",
+        "# Copy to .env.local in this directory and fill in real values.",
+        "",
+    ];
+    for (const name of secrets) {
+        if (typeof name !== "string" || name.length === 0)
+            continue;
+        lines.push(`${name}=`);
+    }
+    return lines.join("\n") + "\n";
+}
 function computeSkillDir(root, layout, plugin, name) {
     switch (layout) {
         case 1: return join(root, plugin, "skills", name);
@@ -1018,6 +1067,53 @@ export function registerSkillCreateRoutes(router, root) {
                     catch { /* history write failure should not break the main response */ }
                 }
             }
+            // -------------------------------------------------------------------
+            // 0815: multi-file payload — write auxiliary files atomically.
+            //
+            // Each `files` entry is validated through resolveSafe() before any I/O.
+            // On any failure mid-write, rollback by removing the skill directory
+            // (unless this is an update — preserve existing user content). The
+            // rollback is intentionally NOT inside a finally — the existing outer
+            // try/catch (a few lines below) handles top-level failures and we want
+            // the path-traversal case to surface as a 400 with the dir cleaned up.
+            // -------------------------------------------------------------------
+            if (body.files && typeof body.files === "object") {
+                const written = [];
+                try {
+                    for (const [relPath, contents] of Object.entries(body.files)) {
+                        if (typeof contents !== "string") {
+                            throw new Error(`files['${relPath}'] is not a string`);
+                        }
+                        const safePath = resolveSafe(targetDir, relPath);
+                        const safeDir = safePath.slice(0, safePath.lastIndexOf(sep));
+                        mkdirSync(safeDir, { recursive: true });
+                        writeFileSync(safePath, contents, "utf-8");
+                        written.push(safePath);
+                    }
+                }
+                catch (err) {
+                    // Rollback: clean up the partial directory unless we're updating.
+                    if (!isUpdateMode) {
+                        try {
+                            rmSync(targetDir, { recursive: true, force: true });
+                        }
+                        catch { /* best-effort */ }
+                    }
+                    sendJson(res, {
+                        error: `Failed to write multi-file payload: ${err.message}`,
+                        code: "multi-file-write-failed",
+                    }, 400, req);
+                    return;
+                }
+            }
+            // 0815: emit .env.example from declared secrets (placeholders only).
+            if (Array.isArray(body.secrets) && body.secrets.length > 0) {
+                try {
+                    const envExamplePath = join(targetDir, ".env.example");
+                    writeFileSync(envExamplePath, buildEnvExample(body.secrets), "utf-8");
+                }
+                catch { /* non-blocking — secrets are advisory */ }
+            }
             // Finalize: remove draft.json if it exists (draft → final)
             const draftPath = join(targetDir, "draft.json");
             if (existsSync(draftPath)) {