fix: address CodeRabbit review findings

rohitg00 · rohitg00 · commit fcfd9acdb028 · 2026-02-10T08:56:16.000Z
- wellknown.ts: drop multiline flag from frontmatter regex, extract skill name
  from URL path segments instead of basename on full URL
- agents-md.ts: wrap init/sync in try-catch for user-friendly error messages
- publish.ts: add path-traversal guard to mintlify branch
- validate.ts: remove duplicate error/warning output in spec report
- extractor.ts: add 30s AbortSignal timeout to all fetch calls
- skill-generator.ts: fix .filter(Boolean) stripping blank line after frontmatter
diff --git a/packages/cli/src/commands/agents-md.ts b/packages/cli/src/commands/agents-md.ts
@@ -44,17 +44,21 @@ export class AgentsMdInitCommand extends Command {
       return 1;
     }
 
-    const generator = new AgentsMdGenerator({ projectPath });
-    const result = generator.generate();
+    try {
+      const generator = new AgentsMdGenerator({ projectPath });
+      const result = generator.generate();
 
-    console.log(chalk.dim('Preview:'));
-    console.log('');
-    console.log(result.content);
+      console.log(chalk.dim('Preview:'));
+      console.log('');
+      console.log(result.content);
 
-    writeFileSync(agentsPath, result.content, 'utf-8');
-    console.log(chalk.green(`Created ${agentsPath}`));
-
-    return 0;
+      writeFileSync(agentsPath, result.content, 'utf-8');
+      console.log(chalk.green(`Created ${agentsPath}`));
+      return 0;
+    } catch (err) {
+      console.log(chalk.red(`Failed to generate AGENTS.md: ${err instanceof Error ? err.message : String(err)}`));
+      return 1;
+    }
   }
 }
 
@@ -74,23 +78,27 @@ export class AgentsMdSyncCommand extends Command {
       return 1;
     }
 
-    const existing = readFileSync(agentsPath, 'utf-8');
-    const parser = new AgentsMdParser();
-
-    if (!parser.hasManagedSections(existing)) {
-      console.log(chalk.yellow('No managed sections found in AGENTS.md. Nothing to update.'));
-      return 0;
-    }
+    try {
+      const existing = readFileSync(agentsPath, 'utf-8');
+      const parser = new AgentsMdParser();
 
-    const generator = new AgentsMdGenerator({ projectPath });
-    const result = generator.generate();
-    const managedSections = result.sections.filter(s => s.managed);
-    const updated = parser.updateManagedSections(existing, managedSections);
+      if (!parser.hasManagedSections(existing)) {
+        console.log(chalk.yellow('No managed sections found in AGENTS.md. Nothing to update.'));
+        return 0;
+      }
 
-    writeFileSync(agentsPath, updated, 'utf-8');
-    console.log(chalk.green(`Updated ${managedSections.length} managed section(s) in AGENTS.md`));
+      const generator = new AgentsMdGenerator({ projectPath });
+      const result = generator.generate();
+      const managedSections = result.sections.filter(s => s.managed);
+      const updated = parser.updateManagedSections(existing, managedSections);
 
-    return 0;
+      writeFileSync(agentsPath, updated, 'utf-8');
+      console.log(chalk.green(`Updated ${managedSections.length} managed section(s) in AGENTS.md`));
+      return 0;
+    } catch (err) {
+      console.log(chalk.red(`Failed to sync AGENTS.md: ${err instanceof Error ? err.message : String(err)}`));
+      return 1;
+    }
   }
 }
 
diff --git a/packages/cli/src/commands/publish.ts b/packages/cli/src/commands/publish.ts
@@ -129,8 +129,14 @@ export class PublishCommand extends Command {
         return 0;
       }
 
+      const resolvedOutput = resolve(outputDir);
       for (const skill of validSkills) {
         const mintlifyDir = join(outputDir, '.well-known', 'skills', skill.safeName);
+        const resolvedDir = resolve(mintlifyDir);
+        if (!resolvedDir.startsWith(resolvedOutput)) {
+          console.log(chalk.red(`Skipping ${skill.safeName} (path traversal detected)`));
+          continue;
+        }
         mkdirSync(mintlifyDir, { recursive: true });
         const skillMdPath = join(skill.path, 'SKILL.md');
         if (existsSync(skillMdPath)) {
diff --git a/packages/cli/src/commands/validate.ts b/packages/cli/src/commands/validate.ts
@@ -158,19 +158,6 @@ function printSpecReport(specResult: SpecValidationResult): void {
     }
   }
 
-  if (specResult.errors.length > 0) {
-    console.log('');
-    for (const err of specResult.errors) {
-      console.log(`  ${colors.error(symbols.error)} ${err}`);
-    }
-  }
-
-  if (specResult.warnings.length > 0) {
-    console.log('');
-    for (const w of specResult.warnings) {
-      console.log(`  ${colors.warning(symbols.warning)} ${w}`);
-    }
-  }
 }
 
 function getOrdinal(n: number): string {
diff --git a/packages/core/src/providers/wellknown.ts b/packages/core/src/providers/wellknown.ts
@@ -6,6 +6,18 @@ import type { GitProviderAdapter, CloneOptions } from './base.js';
 import { isGitUrl, isLocalPath } from './base.js';
 import type { GitProvider, CloneResult } from '../types.js';
 
+function skillNameFromUrl(url: string): string {
+  try {
+    const parsed = new URL(url);
+    const segments = parsed.pathname.split('/').filter(Boolean);
+    return segments[segments.length - 1] || parsed.hostname.split('.')[0] || 'default';
+  } catch {
+    return basename(url) || 'default';
+  }
+}
+
+const FRONTMATTER_REGEX = /^---\s*\n[\s\S]*?name:\s*.+/;
+
 function sanitizeSkillName(name: string): string | null {
   if (!name || typeof name !== 'string') return null;
   const base = basename(name);
@@ -85,8 +97,8 @@ export class WellKnownProvider implements GitProviderAdapter {
           const response = await fetch(fullUrl);
           if (response.ok) {
             const content = await response.text();
-            if (/^---\s*\n[\s\S]*?name:\s*.+/m.test(content)) {
-              const skillName = basename(baseUrl) || 'default';
+            if (FRONTMATTER_REGEX.test(content)) {
+              const skillName = skillNameFromUrl(baseUrl);
               const safeName = sanitizeSkillName(skillName) ?? 'default';
               const skillDir = join(tempDir, safeName);
               mkdirSync(skillDir, { recursive: true });
@@ -158,8 +170,8 @@ export class WellKnownProvider implements GitProviderAdapter {
             const response = await fetch(fullUrl);
             if (response.ok) {
               const content = await response.text();
-              if (/^---\s*\n[\s\S]*?name:\s*.+/m.test(content)) {
-                const skillName = basename(baseUrl) || 'default';
+              if (FRONTMATTER_REGEX.test(content)) {
+                const skillName = skillNameFromUrl(baseUrl);
                 const safeName = sanitizeSkillName(skillName) ?? 'default';
                 const skillDir = join(tempDir, safeName);
                 mkdirSync(skillDir, { recursive: true });
diff --git a/packages/core/src/save/extractor.ts b/packages/core/src/save/extractor.ts
@@ -45,6 +45,7 @@ const LANGUAGE_MAP: Record<string, string> = {
 
 const GITHUB_URL_PATTERN = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/blob\/([^/]+)\/(.+)$/;
 const GITHUB_RAW_PATTERN = /^https?:\/\/raw\.githubusercontent\.com\//;
+const FETCH_TIMEOUT = 30_000;
 
 export class ContentExtractor {
   private turndown: TurndownService;
@@ -61,7 +62,7 @@ export class ContentExtractor {
       return this.fetchGitHubContent(url, options);
     }
 
-    const response = await fetch(url);
+    const response = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });
     if (!response.ok) {
       throw new Error(`Failed to fetch ${url}: ${response.status} ${response.statusText}`);
     }
@@ -149,7 +150,7 @@ export class ContentExtractor {
       rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${path}`;
     }
 
-    const response = await fetch(rawUrl);
+    const response = await fetch(rawUrl, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });
     if (!response.ok) {
       throw new Error(`Failed to fetch GitHub content: ${response.status} ${response.statusText}`);
     }
diff --git a/packages/core/src/save/skill-generator.ts b/packages/core/src/save/skill-generator.ts
@@ -90,19 +90,18 @@ export class SkillGenerator {
     const yamlTags = tags.map((t) => `  - ${t}`).join('\n');
     const savedAt = new Date().toISOString();
 
-    return [
+    const lines = [
       '---',
       `name: ${name}`,
       `description: ${this.yamlEscape(description)}`,
-      tags.length > 0 ? `tags:\n${yamlTags}` : '',
+      tags.length > 0 ? `tags:\n${yamlTags}` : null,
       'metadata:',
-      source ? `  source: ${source}` : '',
+      source ? `  source: ${source}` : null,
       `  savedAt: ${savedAt}`,
       '---',
-      '',
-    ]
-      .filter(Boolean)
-      .join('\n');
+    ].filter((l): l is string => l !== null);
+
+    return lines.join('\n') + '\n';
   }
 
   private yamlEscape(value: string): string {

Original file line number	Diff line number	Diff line change
`@@ -158,19 +158,6 @@ function printSpecReport(specResult: SpecValidationResult): void {`
`158`	`158`	`}`
`159`	`159`	`}`
`160`	`160`
`161`		`- if (specResult.errors.length > 0) {`
`162`		`- console.log('');`
`163`		`- for (const err of specResult.errors) {`
`164`		- console.log(` ${colors.error(symbols.error)} ${err}`);
`165`		`- }`
`166`		`- }`
`167`		`-`
`168`		`- if (specResult.warnings.length > 0) {`
`169`		`- console.log('');`
`170`		`- for (const w of specResult.warnings) {`
`171`		- console.log(` ${colors.warning(symbols.warning)} ${w}`);
`172`		`- }`
`173`		`- }`
`174`	`161`	`}`
`175`	`162`
`176`	`163`	`function getOrdinal(n: number): string {`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ const LANGUAGE_MAP: Record<string, string> = {`
`45`	`45`
`46`	`46`	`const GITHUB_URL_PATTERN = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/blob\/([^/]+)\/(.+)$/;`
`47`	`47`	`const GITHUB_RAW_PATTERN = /^https?:\/\/raw\.githubusercontent\.com\//;`
	`48`	`+const FETCH_TIMEOUT = 30_000;`
`48`	`49`
`49`	`50`	`export class ContentExtractor {`
`50`	`51`	`private turndown: TurndownService;`
`@@ -61,7 +62,7 @@ export class ContentExtractor {`
`61`	`62`	`return this.fetchGitHubContent(url, options);`
`62`	`63`	`}`
`63`	`64`
`64`		`- const response = await fetch(url);`
	`65`	`+ const response = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });`
`65`	`66`	`if (!response.ok) {`
`66`	`67`	throw new Error(`Failed to fetch ${url}: ${response.status} ${response.statusText}`);
`67`	`68`	`}`
`@@ -149,7 +150,7 @@ export class ContentExtractor {`
`149`	`150`	rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${path}`;
`150`	`151`	`}`
`151`	`152`
`152`		`- const response = await fetch(rawUrl);`
	`153`	`+ const response = await fetch(rawUrl, { signal: AbortSignal.timeout(FETCH_TIMEOUT) });`
`153`	`154`	`if (!response.ok) {`
`154`	`155`	throw new Error(`Failed to fetch GitHub content: ${response.status} ${response.statusText}`);
`155`	`156`	`}`