Harden cross-platform skill installer packaging#7
Closed
trewwwsec wants to merge 7 commits into
Closed
Conversation
Codex needs flattened skill installs while retaining Claude-compatible output, so the installer and manifest generator now emit both paths and docs describe the fork as Codex-first.\n\nConstraint: Codex installs skills under $CODEX_HOME/skills/<skill-name>; Claude expects the existing category tree.\nRejected: Replacing Claude support outright | preserving upstream portability keeps the fork useful across both agents.\nConfidence: high\nScope-risk: moderate\nDirective: Keep frontmatter name values aligned with skill folder names or Codex installs will fail validation.\nTested: python3 tools/build_manifest.py; ./install.sh --platform codex --dry-run; ./install.sh --platform claude --dry-run; bash -n install.sh\nNot-tested: Live install into user agent directories.
Rename project-facing identity from codex-red to skills-red so the library describes both Claude and Codex as first-class skill targets while preserving platform-specific install layouts. Constraint: User requested repo/project rename because the skills work across Claude and Codex. Rejected: Keeping Codex-first branding | It misrepresents the cross-platform skill surface. Confidence: high Scope-risk: narrow Directive: Keep upstream Claude Red references only when they are attribution or upstream-install links. Tested: python3 tools/build_manifest.py; bash -n install.sh; ./install.sh --platform codex --dry-run; ./install.sh --platform claude --dry-run Not-tested: Remote GitHub repository existence and permissions before push
Add OpenCode as a first-class install and manifest target while preserving Codex and Claude layouts. OpenCode-specific description normalization is isolated to OpenCode outputs so canonical SKILL.md metadata remains shared for existing platforms. Constraint: OpenCode skills use ~/.config/opencode/skills/<name>/SKILL.md and require compatible skill metadata. Rejected: Shortening canonical skill descriptions for every platform | it would regress Codex and Claude trigger metadata. Confidence: high Scope-risk: narrow Directive: Keep future platform-specific metadata transforms isolated from canonical SKILL.md content unless all platforms intentionally adopt the same constraint. Tested: bash -n install.sh; python3 -m py_compile tools/build_manifest.py; python3 tools/build_manifest.py; install dry-runs for codex, claude, opencode, and opencode web category; shellcheck install.sh; git diff --check; real temp install smoke for Codex and OpenCode cloud skill metadata. Not-tested: Running OpenCode itself to confirm live skill discovery.
Share platform install roots between installer and manifest tooling so generated indexes can be checked against the same defaults before release. Constraint: Root manifests remain generated from Skills/**/SKILL.md and platform defaults. Rejected: Duplicating install-path literals in installer, manifest builder, and freshness checker | drift already made review harder. Confidence: high Scope-risk: narrow Directive: Regenerate manifests with python3 tools/build_manifest.py and verify freshness before packaging changes. Tested: python3 tools/build_manifest.py; python3 tools/check_manifest_fresh.py; ./install.sh --platform codex --dry-run; ./install.sh --platform claude --dry-run; ./install.sh --platform opencode --dry-run; bash -n install.sh; bash -n tools/platform_defaults.sh Not-tested: Actual installs were not run because dry-run validates packaging paths without modifying user skill directories.
Use a skills-red namespace with category-preserving paths for generated manifests and default Codex/OpenCode installs so packaged skills remain grouped by source while matching current recursive discovery. Constraint: Codex and OpenCode currently discover nested SKILL.md files recursively under skill roots; Claude already preserves the category tree under skills-red. Rejected: Keeping Codex/OpenCode flattened at the skill root | it loses source-library grouping and diverges from the requested namespace. Confidence: high Scope-risk: moderate Directive: If Codex or OpenCode drops recursive skill discovery, update tools/platform_defaults.sh, install.sh, README.md, and regenerated manifests together. Tested: python3 -m py_compile tools/build_manifest.py tools/check_manifest_fresh.py; python3 tools/build_manifest.py; python3 tools/check_manifest_fresh.py; ./install.sh --platform codex --dry-run; ./install.sh --platform claude --dry-run; ./install.sh --platform opencode --dry-run; ./install.sh --platform codex --category web --dry-run; ./install.sh --platform opencode --category web --dry-run; bash -n install.sh; bash -n tools/platform_defaults.sh; shellcheck install.sh tools/platform_defaults.sh; git diff --cached --check; git diff --check Not-tested: Actual installs were not run; verification used dry-runs and manifest freshness checks.
Constraint: installer previously selected Codex implicitly when --platform was omitted. Rejected: Keep Codex as fallback | user requested no default platform. Confidence: high Scope-risk: narrow Directive: Do not reintroduce an implicit platform default in install.sh. Tested: bash -n install.sh; python3 tools/build_manifest.py; python3 tools/check_manifest_fresh.py; ./install.sh --platform codex --dry-run; ./install.sh --platform claude --dry-run; ./install.sh --platform opencode --dry-run; non-interactive ./install.sh --dry-run fails without --platform; interactive ./install.sh --dry-run prompts for platform and target. Not-tested: Actual copy install outside dry-run.
Validate --category as a first-level Skills directory before deriving install source or destination paths, preserving existing platform layout behavior while rejecting traversal-shaped values. Constraint: install.sh category installs must keep Codex, Claude, and OpenCode dry-run behavior unchanged for valid first-level categories. Rejected: Broader installer refactors for target operand handling or copy option terminators | outside the reviewed high-priority traversal fix scope. Confidence: high Scope-risk: narrow Directive: Keep --category as a single path segment unless category topology is intentionally redesigned across listing, validation, and install planning. Tested: bash -n install.sh; shellcheck -x install.sh; python3 tools/build_manifest.py; install dry-runs for codex, claude, opencode; valid web category dry-runs for all platforms; negative traversal category dry-runs for .., ../web, web/.., ., and web\... Not-tested: Non-dry-run installation into live user skill directories.
Author
|
AI slop. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skills-red/<category>/<skill>layout while preserving Claude category installs--categoryhandling so traversal or malformed category values fail before source/destination planningInstall traversal fix
install.shnow validates--categoryas a single first-levelSkills/<category>directory. Values such as..,../web,web/..,., and backslash-containing input are rejected with a clear validation error before dry-run copy planning or installation.Verification
bash -n install.shshellcheck -x install.shpython3 tools/build_manifest.py./install.sh --platform codex --dry-run./install.sh --platform claude --dry-run./install.sh --platform opencode --dry-run./install.sh --platform codex --category web --dry-run./install.sh --platform claude --category web --dry-run./install.sh --platform opencode --category web --dry-run--category ..,../web,web/..,., andweb\\..fail before copy planningNotes
--target/ missing operands is intentionally left as follow-up scope.