vskill 1.0.16 → 1.0.19

package/dist/eval-server/__tests__/helpers/studio-token-test-helpers.d.ts

@@ -0,0 +1,2 @@
+/** Returns `{ "x-studio-token": <token> }` for spreading into headers. */
+export declare function studioTokenHeaders(): Record<string, string>;

package/dist/eval-server/__tests__/helpers/studio-token-test-helpers.js

@@ -0,0 +1,20 @@
+// ---------------------------------------------------------------------------
+// 0836 US-002 — test helpers for the X-Studio-Token gate.
+//
+// Tests that drive `Router.handle()` against `/api/*` paths must include the
+// live studio token; otherwise the gate writes 401 and the route handler
+// never runs. Use:
+//
+//   import { studioTokenHeaders } from "./helpers/studio-token-test-helpers.js";
+//   const req = { ..., headers: { host: "localhost", ...studioTokenHeaders() } };
+//
+// For real-fetch tests:
+//
+//   await fetch(url, { headers: studioTokenHeaders() });
+// ---------------------------------------------------------------------------
+import { getStudioToken } from "../../router.js";
+/** Returns `{ "x-studio-token": <token> }` for spreading into headers. */
+export function studioTokenHeaders() {
+    return { "x-studio-token": getStudioToken() };
+}
+//# sourceMappingURL=studio-token-test-helpers.js.map

package/dist/eval-server/__tests__/helpers/studio-token-test-helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"studio-token-test-helpers.js","sourceRoot":"","sources":["../../../../src/eval-server/__tests__/helpers/studio-token-test-helpers.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,0DAA0D;AAC1D,EAAE;AACF,6EAA6E;AAC7E,yEAAyE;AACzE,mBAAmB;AACnB,EAAE;AACF,iFAAiF;AACjF,kFAAkF;AAClF,EAAE;AACF,wBAAwB;AACxB,EAAE;AACF,yDAAyD;AACzD,8EAA8E;AAE9E,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEjD,0EAA0E;AAC1E,MAAM,UAAU,kBAAkB;IAChC,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,EAAE,CAAC;AAChD,CAAC"}

package/dist/eval-server/active-root-store.d.ts

@@ -0,0 +1,19 @@
+export interface ActiveRootStore {
+    /** The scan root all route handlers should use, resolved per request. */
+    getRoot(): string;
+    /** Replace the active scan root (e.g. after a project switch). */
+    setRoot(root: string): void;
+    /**
+     * Re-derive the active root from `~/.vskill/workspace.json`'s active project.
+     * Updates the store and returns the new value; if no active project resolves,
+     * the current root is kept and returned.
+     */
+    reload(workspaceDir: string): string;
+}
+/**
+ * Resolve the active project's path from the workspace registry. Returns null
+ * when there is no workspace, no active project, or the active id is dangling.
+ * Shared by both boot resolution (eval-server) and runtime reloads (this store).
+ */
+export declare function resolveActiveRoot(workspaceDir: string): string | null;
+export declare function createActiveRootStore(initialRoot: string): ActiveRootStore;

package/dist/eval-server/active-root-store.js

@@ -0,0 +1,50 @@
+// ---------------------------------------------------------------------------
+// 0863 T-001: ActiveRootStore — runtime-mutable scan root.
+//
+// Before 0863, the eval-server resolved the scan root ONCE at boot and froze
+// it into every route handler's closure, so switching the active project from
+// the UI (POST /api/workspace/active) changed ~/.vskill/workspace.json but the
+// running server kept serving the original folder's skills.
+//
+// This store holds the current scan root in memory and lets handlers read it
+// per-request via `getRoot()`. `POST /api/workspace/active` calls `setRoot()`
+// after persisting, so the next `GET /api/skills` scans the new folder — no
+// process restart, no port change, no studio-token re-mint. The same code path
+// works in `npx vskill studio` (single process) and the desktop Tauri sidecar.
+// ---------------------------------------------------------------------------
+import { loadWorkspace } from "./workspace-store.js";
+/**
+ * Resolve the active project's path from the workspace registry. Returns null
+ * when there is no workspace, no active project, or the active id is dangling.
+ * Shared by both boot resolution (eval-server) and runtime reloads (this store).
+ */
+export function resolveActiveRoot(workspaceDir) {
+    try {
+        const ws = loadWorkspace(workspaceDir);
+        if (!ws.activeProjectId)
+            return null;
+        const active = ws.projects.find((p) => p.id === ws.activeProjectId);
+        return active ? active.path : null;
+    }
+    catch {
+        return null;
+    }
+}
+export function createActiveRootStore(initialRoot) {
+    let current = initialRoot;
+    return {
+        getRoot() {
+            return current;
+        },
+        setRoot(root) {
+            current = root;
+        },
+        reload(workspaceDir) {
+            const resolved = resolveActiveRoot(workspaceDir);
+            if (resolved)
+                current = resolved;
+            return current;
+        },
+    };
+}
+//# sourceMappingURL=active-root-store.js.map

package/dist/eval-server/active-root-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"active-root-store.js","sourceRoot":"","sources":["../../src/eval-server/active-root-store.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,2DAA2D;AAC3D,EAAE;AACF,6EAA6E;AAC7E,8EAA8E;AAC9E,+EAA+E;AAC/E,4DAA4D;AAC5D,EAAE;AACF,6EAA6E;AAC7E,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,8EAA8E;AAE9E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAerD;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,YAAoB;IACpD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QACrC,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,eAAe,CAAC,CAAC;QACpE,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,WAAmB;IACvD,IAAI,OAAO,GAAG,WAAW,CAAC;IAC1B,OAAO;QACL,OAAO;YACL,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,CAAC,IAAY;YAClB,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QACD,MAAM,CAAC,YAAoB;YACzB,MAAM,QAAQ,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;YACjD,IAAI,QAAQ;gBAAE,OAAO,GAAG,QAAQ,CAAC;YACjC,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/eval-server/active-tenant-routes.d.ts

@@ -0,0 +1,15 @@
+import * as http from "node:http";
+import { type ActiveTenantOptions } from "../lib/active-tenant.js";
+export interface ActiveTenantRoutesOptions {
+    /**
+     * Forward to the helpers (tests). Production passes nothing; the
+     * helpers default to `~/.vskill/config.json`.
+     */
+    activeTenantOptions?: ActiveTenantOptions;
+}
+/**
+ * Returns true when the request was handled (response sent). Returns false
+ * when the URL/method doesn't match — the caller (eval-server.ts) falls
+ * through to the next handler (proxy / static).
+ */
+export declare function handleActiveTenant(req: http.IncomingMessage, res: http.ServerResponse, opts?: ActiveTenantRoutesOptions): Promise<boolean>;

package/dist/eval-server/active-tenant-routes.js

@@ -0,0 +1,101 @@
+// ---------------------------------------------------------------------------
+// active-tenant-routes.ts — 0839 T-011 / US-004.
+//
+// Loopback-only `/__internal/active-tenant` GET/POST handler used by the
+// Studio TenantPicker (eval-ui T-012/T-013). Reads/writes
+// `~/.vskill/config.json` via the shared helpers in
+// `../lib/active-tenant.ts`, so the CLI (`vskill orgs use`) and the
+// Studio always agree on which tenant is active.
+//
+// Why the path doesn't start with `/api/`:
+//   The studio-token gate in `router.ts` only applies to `/api/*`. This
+//   route is a UX convenience that needs to work without the WebView
+//   threading the studio token (it predates the gate). We compensate
+//   with three lower-bound guards:
+//     1. Loopback-only (req.socket.remoteAddress).
+//     2. The eval-server already binds 127.0.0.1 (US-001 hardening).
+//     3. The handler refuses anything but GET / POST + tiny body.
+//
+// Audit logging is intentionally absent — this is a local-only,
+// non-secret read/write of the user's own config file. Logging it would
+// be noise (and the path itself isn't sensitive).
+// ---------------------------------------------------------------------------
+import { readBody, sendJson } from "./router.js";
+import { getActiveTenant, setActiveTenant, } from "../lib/active-tenant.js";
+function isLoopback(req) {
+    const addr = req.socket?.remoteAddress ?? "";
+    return (addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1");
+}
+/**
+ * Returns true when the request was handled (response sent). Returns false
+ * when the URL/method doesn't match — the caller (eval-server.ts) falls
+ * through to the next handler (proxy / static).
+ */
+export async function handleActiveTenant(req, res, opts = {}) {
+    const url = req.url || "";
+    // Path-based match (no query string is honored, but we strip it just in
+    // case the caller appended `?_=` for cache-busting).
+    const path = url.split("?")[0];
+    if (path !== "/__internal/active-tenant")
+        return false;
+    // Loopback guard — the eval-server binds 127.0.0.1 already, but a
+    // misconfigured proxy or future port-forward could subvert that.
+    if (!isLoopback(req)) {
+        sendJson(res, { ok: false, error: "loopback-only" }, 403, req);
+        return true;
+    }
+    const method = (req.method ?? "GET").toUpperCase();
+    if (method === "GET") {
+        const slug = getActiveTenant(opts.activeTenantOptions);
+        sendJson(res, { currentTenant: slug });
+        return true;
+    }
+    if (method === "POST") {
+        let body;
+        try {
+            body = await readBody(req);
+        }
+        catch {
+            sendJson(res, { ok: false, error: "invalid JSON" }, 400, req);
+            return true;
+        }
+        if (!body || typeof body !== "object") {
+            sendJson(res, { ok: false, error: "expected { currentTenant }" }, 400, req);
+            return true;
+        }
+        const incoming = body.currentTenant;
+        // Accept null (clear) and non-empty string. Reject anything else so
+        // we don't silently coerce numbers/booleans into config corruption.
+        let slug;
+        if (incoming === null) {
+            slug = null;
+        }
+        else if (typeof incoming === "string" && incoming.length > 0) {
+            // Cheap shape check — slugs are URL-safe DNS labels in the platform
+            // schema. Refusing weird input here saves a round-trip to a 4xx
+            // tenant lookup later.
+            if (!/^[a-z0-9][a-z0-9-]*$/i.test(incoming)) {
+                sendJson(res, { ok: false, error: "invalid slug format" }, 400, req);
+                return true;
+            }
+            slug = incoming;
+        }
+        else {
+            sendJson(res, { ok: false, error: "currentTenant must be string|null" }, 400, req);
+            return true;
+        }
+        try {
+            setActiveTenant(slug, opts.activeTenantOptions);
+        }
+        catch (err) {
+            sendJson(res, { ok: false, error: err.message }, 500, req);
+            return true;
+        }
+        sendJson(res, { currentTenant: slug });
+        return true;
+    }
+    // Other methods.
+    sendJson(res, { ok: false, error: "method not allowed" }, 405, req);
+    return true;
+}
+//# sourceMappingURL=active-tenant-routes.js.map

package/dist/eval-server/active-tenant-routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"active-tenant-routes.js","sourceRoot":"","sources":["../../src/eval-server/active-tenant-routes.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,iDAAiD;AACjD,EAAE;AACF,yEAAyE;AACzE,0DAA0D;AAC1D,oDAAoD;AACpD,oEAAoE;AACpE,iDAAiD;AACjD,EAAE;AACF,2CAA2C;AAC3C,wEAAwE;AACxE,qEAAqE;AACrE,qEAAqE;AACrE,mCAAmC;AACnC,mDAAmD;AACnD,qEAAqE;AACrE,kEAAkE;AAClE,EAAE;AACF,gEAAgE;AAChE,wEAAwE;AACxE,kDAAkD;AAClD,8EAA8E;AAG9E,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EACL,eAAe,EACf,eAAe,GAEhB,MAAM,yBAAyB,CAAC;AAUjC,SAAS,UAAU,CAAC,GAAyB;IAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC;IAC7C,OAAO,CACL,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,kBAAkB,CACtE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAyB,EACzB,GAAwB,EACxB,OAAkC,EAAE;IAEpC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC1B,wEAAwE;IACxE,qDAAqD;IACrD,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,IAAI,KAAK,2BAA2B;QAAE,OAAO,KAAK,CAAC;IAEvD,kEAAkE;IAClE,iEAAiE;IACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACnD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACvD,QAAQ,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC5E,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,QAAQ,GAAI,IAAoC,CAAC,aAAa,CAAC;QAErE,oEAAoE;QACpE,oEAAoE;QACpE,IAAI,IAAmB,CAAC;QACxB,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,GAAG,IAAI,CAAC;QACd,CAAC;aAAM,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/D,oEAAoE;YACpE,gEAAgE;YAChE,uBAAuB;YACvB,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5C,QAAQ,CACN,GAAG,EACH,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,EAC3C,GAAG,EACH,GAAG,CACJ,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,GAAG,QAAQ,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,QAAQ,CACN,GAAG,EACH,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,EAAE,EACzD,GAAG,EACH,GAAG,CACJ,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CACN,GAAG,EACH,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,EAC5C,GAAG,EACH,GAAG,CACJ,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,QAAQ,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iBAAiB;IACjB,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/eval-server/api-routes.d.ts

@@ -214,4 +214,4 @@ export declare function detectAvailableProviders(): Promise<Array<{
     models: ModelOption[];
     resolvedModel?: string | null;
 }>>;
-export declare function registerRoutes(router: Router, root: string, projectName?: string): void;
+export declare function registerRoutes(router: Router, rootArg: string | (() => string), projectName?: string): void;

package/dist/eval-server/api-routes.js

@@ -931,6 +931,12 @@ export const PROVIDER_MODELS = {
     // what models the user has loaded. The probe at probeLmStudio() populates
     // this dynamically from GET /v1/models.
     "lm-studio": [],
+    // 0857: `stub` is a deterministic TEST SEAM (src/eval/llm.ts createStubClient),
+    // NOT a user-facing provider. This empty list exists only to satisfy the
+    // `Record<ProviderName, ModelOption[]>` exhaustiveness check — `stub` is
+    // deliberately excluded from `detectAvailableProviders()` and
+    // `KNOWN_PROVIDER_NAMES`, so it never reaches /api/config or the picker.
+    "stub": [],
 };
 // ---------------------------------------------------------------------------
 // Local provider detection caches — avoid 500ms+ probes on every /api/config
@@ -1148,7 +1154,8 @@ export async function detectAvailableProviders() {
     });
     return providers;
 }
-export function registerRoutes(router, root, projectName) {
+export function registerRoutes(router, rootArg, projectName) {
+    const getRoot = typeof rootArg === "function" ? rootArg : () => rootArg;
     // Health check
     router.get("/api/health", (_req, res) => {
         sendJson(res, { ok: true });
@@ -1167,6 +1174,7 @@ export function registerRoutes(router, root, projectName) {
     // shared-folder grouping. 30s detection cache (mirrors Ollama/LM Studio
     // probe pattern from 0677).
     router.get("/api/agents", async (req, res) => {
+        const root = getRoot();
         try {
             const detected = await detectInstalledAgents();
             const detectedBinaries = new Set(detected.map((a) => a.id));
@@ -1367,6 +1375,7 @@ export function registerRoutes(router, root, projectName) {
     // (e.g. "claude-sonnet"). The frontend round-trips config.model back to
     // generate-evals and other endpoints, so it must be a valid CLI model ID.
     router.get("/api/config", async (_req, res) => {
+        const root = getRoot();
         // 0682 F-001 — Boot-time restoration of .vskill/studio.json selection.
         // Use a dedicated `studioLoaded` flag rather than checking
         // `!currentOverrides.provider` because the module default
@@ -1436,6 +1445,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Update config — change provider/model at runtime and persist atomically.
     router.post("/api/config", async (req, res) => {
+        const root = getRoot();
         const body = (await readBody(req));
         // 0682 F-001 (review iter 3): validate the incoming provider against the
         // ProviderName union BEFORE mutating currentOverrides. Pre-fix, an
@@ -1497,6 +1507,7 @@ export function registerRoutes(router, root, projectName) {
     //     unknown/missing fields default to `null` (not undefined) so the shape
     //     remains JSON-stable for all consumers.
     router.get("/api/skills", async (req, res) => {
+        const root = getRoot();
         // 0686: ?scope=own|installed|global and ?agent=<id> query params.
         // When either is present, switch to tri-scope scanning so the response
         // carries the new `scope`/`isSymlink`/`symlinkTarget`/`installMethod`/
@@ -1651,6 +1662,7 @@ export function registerRoutes(router, root, projectName) {
         }
     });
     router.get("/api/skills/updates", async (req, res) => {
+        const root = getRoot();
         try {
             const { getOutdatedJson } = await import("../commands/outdated.js");
             const { scanSkillInstallLocations } = await import("./utils/scan-install-locations.js");
@@ -1708,7 +1720,7 @@ export function registerRoutes(router, root, projectName) {
      * git remote parse for skills authored in this repo. See skill-name-resolver.ts.
      */
     function resolveSkillApiName(skill, plugin = null) {
-        return resolveSkillApiNameImpl(skill, root, plugin);
+        return resolveSkillApiNameImpl(skill, getRoot(), plugin);
     }
     // T-009 (proxy) + 0707 T-021 (harden): Versions endpoint
     //
@@ -1727,7 +1739,7 @@ export function registerRoutes(router, root, projectName) {
     // Returns `{ apiPathRoot, origin }` — callers append `/versions` or
     // `/versions/diff` as needed.
     async function buildSkillApiPath(skill, plugin) {
-        const origin = await resolveSkillOrigin(skill, plugin, root);
+        const origin = await resolveSkillOrigin(skill, plugin, getRoot());
         if (origin.owner && origin.repo) {
             return {
                 apiPathRoot: `/api/v1/skills/${encodeURIComponent(origin.owner)}/${encodeURIComponent(origin.repo)}/${encodeURIComponent(skill)}`,
@@ -1744,6 +1756,7 @@ export function registerRoutes(router, root, projectName) {
         return { apiPathRoot, origin };
     }
     router.get("/api/skills/:plugin/:skill/versions", async (req, res, params) => {
+        const root = getRoot();
         // 0823: comprehensive origin resolver via shared buildSkillApiPath.
         const { apiPathRoot, origin } = await buildSkillApiPath(params.skill, params.plugin);
         const apiPath = `${apiPathRoot}/versions`;
@@ -1906,6 +1919,7 @@ export function registerRoutes(router, root, projectName) {
     //
     // Idempotent + side-effect free on disk.
     router.post("/api/v1/skills/:id/rescan", async (req, res, params) => {
+        const root = getRoot();
         const rawId = String(params.id ?? "");
         const decoded = (() => {
             try {
@@ -1992,6 +2006,7 @@ export function registerRoutes(router, root, projectName) {
         sendJson(res, { jobId }, 200, req);
     });
     router.post("/api/skills/:plugin/:skill/update", async (req, res, params) => {
+        const root = getRoot();
         initSSE(res, req);
         const skillName = params.skill;
         // 0747 grill F-002: reject before doing anything so a malformed slug
@@ -2071,6 +2086,7 @@ export function registerRoutes(router, root, projectName) {
     // T-012: Batch update SSE + 409 conflict guard
     let batchUpdateInProgress = false;
     router.post("/api/skills/batch-update", async (req, res) => {
+        const root = getRoot();
         if (batchUpdateInProgress) {
             sendJson(res, { error: "Update already in progress" }, 409, req);
             return;
@@ -2139,7 +2155,7 @@ export function registerRoutes(router, root, projectName) {
     const skillFsAllowedRoots = () => {
         const home = homedir();
         return [
-            root,
+            getRoot(),
             join(home, ".claude/plugins/cache"),
             join(home, ".claude/plugins/marketplaces"),
             join(home, ".claude/skills"),
@@ -2156,7 +2172,7 @@ export function registerRoutes(router, root, projectName) {
     // path via setSkillDirEntry inside ensurePluginCacheEntry.
     const resolveSkillDirForFsRoute = async (plugin, skill) => {
         await ensurePluginCacheEntry(plugin, skill);
-        return resolveAllowedSkillDir(root, plugin, skill, skillFsAllowedRoots());
+        return resolveAllowedSkillDir(getRoot(), plugin, skill, skillFsAllowedRoots());
     };
     // Get skill detail
     router.get("/api/skills/:plugin/:skill", async (req, res, params) => {
@@ -2342,6 +2358,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Save (create/overwrite) a file inside a skill directory
     router.put("/api/skills/:plugin/:skill/file", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         if (!resolve(skillDir).startsWith(resolve(root))) {
             sendJson(res, { error: "Invalid skill path" }, 400, req);
@@ -2371,6 +2388,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Delete a source skill (recursively removes its directory)
     router.delete("/api/skills/:plugin/:skill", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         // Path containment guard — prevent path traversal via ".." in params
         if (!resolve(skillDir).startsWith(resolve(root))) {
@@ -2411,6 +2429,7 @@ export function registerRoutes(router, root, projectName) {
     // this route is the canonical uninstall path for lockfile-tracked
     // installed skills.
     router.post("/api/skills/:plugin/:skill/uninstall", async (req, res, params) => {
+        const root = getRoot();
         // Skill-name validation — same kebab-case regex used by skill-create
         // routes. Performed BEFORE any filesystem access to defang path-traversal
         // attempts (e.g. `../../etc/passwd`).
@@ -2499,6 +2518,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Get skill description (for activation testing preview)
     router.get("/api/skills/:plugin/:skill/description", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const skillMdPath = join(skillDir, "SKILL.md");
         let skillContent = "";
@@ -2524,6 +2544,7 @@ export function registerRoutes(router, root, projectName) {
     // generic client errors — 422 Unprocessable Entity is the correct semantic
     // for well-formed requests whose payload fails validation.
     router.get("/api/skills/:plugin/:skill/evals", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const evalsPath = join(skillDir, "evals", "evals.json");
         if (!existsSync(evalsPath)) {
@@ -2548,6 +2569,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Save evals.json
     router.put("/api/skills/:plugin/:skill/evals", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const body = (await readBody(req));
         // Validate before writing
@@ -2565,6 +2587,7 @@ export function registerRoutes(router, root, projectName) {
     // Generate evals using AI — reads SKILL.md and returns generated EvalsFile
     // Accepts optional { provider, model, testType } in request body
     router.post("/api/skills/:plugin/:skill/generate-evals", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const skillMdPath = join(skillDir, "SKILL.md");
         if (!existsSync(skillMdPath)) {
@@ -2674,6 +2697,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Run benchmark (SSE) — optionally accepts { eval_ids, concurrency, judgeModel, noCache }
     router.post("/api/skills/:plugin/:skill/benchmark", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         let aborted = false;
         res.on("close", () => { aborted = true; });
@@ -2725,6 +2749,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Run baseline (SSE) — same as benchmark but without skill content
     router.post("/api/skills/:plugin/:skill/baseline", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         let aborted = false;
         res.on("close", () => { aborted = true; });
@@ -2748,6 +2773,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Run single case (SSE) — per-case endpoint with semaphore
     router.post("/api/skills/:plugin/:skill/benchmark/case/:evalId", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const evalId = parseInt(params.evalId, 10);
         if (isNaN(evalId)) {
@@ -2823,6 +2849,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Bulk save — client assembles result from per-case runs and saves as one history entry
     router.post("/api/skills/:plugin/:skill/benchmark/bulk-save", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         try {
             const body = await readBody(req);
@@ -2841,6 +2868,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Run comparison (SSE)
     router.post("/api/skills/:plugin/:skill/compare", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         let aborted = false;
         res.on("close", () => { aborted = true; });
@@ -3047,6 +3075,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // List benchmark history (with optional filters)
     router.get("/api/skills/:plugin/:skill/history", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const url = new URL(req.url, `http://localhost`);
         const filter = {};
@@ -3069,6 +3098,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Compare two history runs
     router.get("/api/skills/:plugin/:skill/history-compare", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const url = new URL(req.url, `http://localhost`);
         const tsA = url.searchParams.get("a");
@@ -3132,6 +3162,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Per-case history
     router.get("/api/skills/:plugin/:skill/history/case/:evalId", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const evalId = parseInt(params.evalId, 10);
         if (isNaN(evalId)) {
@@ -3145,6 +3176,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Get specific history entry
     router.get("/api/skills/:plugin/:skill/history/:timestamp", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const entry = await readHistoryEntry(skillDir, params.timestamp);
         if (!entry) {
@@ -3155,6 +3187,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Delete history entry
     router.delete("/api/skills/:plugin/:skill/history/:timestamp", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const deleted = await deleteHistoryEntry(skillDir, params.timestamp);
         if (!deleted) {
@@ -3165,6 +3198,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Get aggregated stats
     router.get("/api/skills/:plugin/:skill/stats", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const stats = await computeStats(skillDir);
         sendJson(res, stats, 200, req);
@@ -3179,6 +3213,7 @@ export function registerRoutes(router, root, projectName) {
     // Works for any plugin slug (including dashes like `google-workspace`)
     // because routing uses `[^/]+` groups (see router.ts T-020).
     router.get("/api/skills/:plugin/:skill/benchmark/latest", async (req, res, params) => {
+        const root = getRoot();
         // 0704: always 200; body null = no benchmark persisted yet.
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const benchmark = await readBenchmark(skillDir);
@@ -3186,6 +3221,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // Run activation test (SSE)
     router.post("/api/skills/:plugin/:skill/activation-test", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         let aborted = false;
         res.on("close", () => { aborted = true; });
@@ -3256,6 +3292,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // GET parsed `## Test Cases` block from SKILL.md (increment 0776)
     router.get("/api/skills/:plugin/:skill/test-cases", (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const skillMdPath = join(skillDir, "SKILL.md");
         const content = existsSync(skillMdPath) ? readFileSync(skillMdPath, "utf-8") : "";
@@ -3266,6 +3303,7 @@ export function registerRoutes(router, root, projectName) {
     // Empty prompts array removes the section. Frontmatter and other body
     // sections are preserved verbatim.
     router.put("/api/skills/:plugin/:skill/test-cases", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const skillMdPath = join(skillDir, "SKILL.md");
         const body = (await readBody(req));
@@ -3296,6 +3334,7 @@ export function registerRoutes(router, root, projectName) {
     });
     // AI-generate activation test prompts (SSE)
     router.post("/api/skills/:plugin/:skill/activation-prompts", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         let aborted = false;
         res.on("close", () => { aborted = true; });
@@ -3361,6 +3400,7 @@ Return ONLY the JSON lines, no other text.`;
     //   500 { error }                           only for unexpected I/O failures
     //                                           (ENOENT is explicitly not one)
     router.get("/api/skills/:plugin/:skill/activation-history", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         try {
             const runs = await listActivationRuns(skillDir);
@@ -3379,6 +3419,7 @@ Return ONLY the JSON lines, no other text.`;
     });
     // Get full activation test run by ID
     router.get("/api/skills/:plugin/:skill/activation-history/:runId", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const run = await getActivationRun(skillDir, params.runId);
         if (!run) {
@@ -3389,6 +3430,7 @@ Return ONLY the JSON lines, no other text.`;
     });
     // Get skill dependencies (MCP + skill-to-skill)
     router.get("/api/skills/:plugin/:skill/dependencies", async (req, res, params) => {
+        const root = getRoot();
         const skillDir = resolveSkillDir(root, params.plugin, params.skill);
         const skillMdPath = join(skillDir, "SKILL.md");
         if (!existsSync(skillMdPath)) {
@@ -3406,6 +3448,7 @@ Return ONLY the JSON lines, no other text.`;
     // server-side via scanSkillInstallLocations and rejects any non-basename
     // `file`. Spawn is detached + unref'd so the response returns immediately.
     router.post("/api/skills/reveal-in-editor", async (req, res) => {
+        const root = getRoot();
         let body;
         try {
             body = (await readBody(req));
@@ -3536,6 +3579,7 @@ Return ONLY the JSON lines, no other text.`;
     //   500 { error: "clone_failed", message: <stderr tail>, exitCode }
     // -------------------------------------------------------------------------
     router.post("/api/skills/clone", async (req, res) => {
+        const root = getRoot();
         let body;
         try {
             body = (await readBody(req));
@@ -3654,14 +3698,23 @@ Return ONLY the JSON lines, no other text.`;
             stdout: stdout.trim().split("\n").slice(-8).join("\n"),
         }, 200, req);
     });
-    // Handle CORS preflight
+    // Handle CORS preflight.
+    //
+    // 0836 US-002 (F-017 follow-up): every authenticated /api/* request now
+    // carries the `X-Studio-Token` custom header. Browser-initiated cross-origin
+    // fetches issue a CORS preflight; the response MUST list `X-Studio-Token`
+    // in `Access-Control-Allow-Headers` or the browser blocks the actual
+    // request. The desktop hot path is same-origin (WebView is navigated to
+    // `http://127.0.0.1:{port}/`) and skips preflight, but CLI users opening
+    // the studio in a regular browser tab — and any future cross-origin
+    // tooling — depend on this echo.
     router.options = (req, res) => {
         const origin = req.headers.origin;
         if (origin && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
             res.writeHead(204, {
                 "Access-Control-Allow-Origin": origin,
                 "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-                "Access-Control-Allow-Headers": "Content-Type",
+                "Access-Control-Allow-Headers": "Content-Type, X-Studio-Token",
                 "Access-Control-Max-Age": "3600",
             });
         }