init (#383)

Author: quuu

src/add.ts

@@ -39,7 +39,14 @@ import {
   getNonUniversalAgents,
   isUniversalAgent,
 } from './agents.ts';
-import { track, setVersion } from './telemetry.ts';
+import {
+  track,
+  setVersion,
+  fetchAuditData,
+  type AuditResponse,
+  type SkillAuditData,
+  type PartnerAudit,
+} from './telemetry.ts';
 import { findProvider, wellKnownProvider, type WellKnownSkill } from './providers/index.ts';
 import { fetchMintlifySkill } from './mintlify.ts';
 import {
@@ -56,6 +63,91 @@ export function initTelemetry(version: string): void {
   setVersion(version);
 }
 
+// ─── Security Advisory ───
+
+function riskLabel(risk: string): string {
+  switch (risk) {
+    case 'critical':
+      return pc.red(pc.bold('Critical Risk'));
+    case 'high':
+      return pc.red('High Risk');
+    case 'medium':
+      return pc.yellow('Med Risk');
+    case 'low':
+      return pc.green('Low Risk');
+    case 'safe':
+      return pc.green('Safe');
+    default:
+      return pc.dim('--');
+  }
+}
+
+function socketLabel(audit: PartnerAudit | undefined): string {
+  if (!audit) return pc.dim('--');
+  const count = audit.alerts ?? 0;
+  return count > 0 ? pc.red(`${count} alert${count !== 1 ? 's' : ''}`) : pc.green('0 alerts');
+}
+
+/** Pad a string to a given visible width (ignoring ANSI escape codes). */
+function padEnd(str: string, width: number): string {
+  // Strip ANSI codes to measure visible length
+  const visible = str.replace(/\x1b\[[0-9;]*m/g, '');
+  const pad = Math.max(0, width - visible.length);
+  return str + ' '.repeat(pad);
+}
+
+/**
+ * Render a compact security table showing partner audit results.
+ * Returns the lines to display, or empty array if no data.
+ */
+function buildSecurityLines(
+  auditData: AuditResponse | null,
+  skills: Array<{ slug: string; displayName: string }>,
+  source: string
+): string[] {
+  if (!auditData) return [];
+
+  // Check if we have any audit data at all
+  const hasAny = skills.some((s) => {
+    const data = auditData[s.slug];
+    return data && Object.keys(data).length > 0;
+  });
+  if (!hasAny) return [];
+
+  // Compute column width for skill names
+  const nameWidth = Math.min(Math.max(...skills.map((s) => s.displayName.length)), 36);
+
+  // Header
+  const lines: string[] = [];
+  const header =
+    padEnd('', nameWidth + 2) +
+    padEnd(pc.dim('Gen'), 18) +
+    padEnd(pc.dim('Socket'), 18) +
+    pc.dim('Snyk');
+  lines.push(header);
+
+  // Rows
+  for (const skill of skills) {
+    const data = auditData[skill.slug];
+    const name =
+      skill.displayName.length > nameWidth
+        ? skill.displayName.slice(0, nameWidth - 1) + '\u2026'
+        : skill.displayName;
+
+    const ath = data?.ath ? riskLabel(data.ath.risk) : pc.dim('--');
+    const socket = data?.socket ? socketLabel(data.socket) : pc.dim('--');
+    const snyk = data?.snyk ? riskLabel(data.snyk.risk) : pc.dim('--');
+
+    lines.push(padEnd(pc.cyan(name), nameWidth + 2) + padEnd(ath, 18) + padEnd(socket, 18) + snyk);
+  }
+
+  // Footer link
+  lines.push('');
+  lines.push(`${pc.dim('Details:')} ${pc.dim(`https://skills.sh/${source}`)}`);
+
+  return lines;
+}
+
 /**
  * Shortens a path for display: replaces homedir with ~ and cwd with .
  * Handles both Unix and Windows path separators.
@@ -1586,6 +1678,16 @@ export async function runAdd(args: string[], options: AddOptions = {}): Promise<
       selectedSkills = selected as Skill[];
     }
 
+    // Kick off security audit fetch early (non-blocking) so it runs
+    // in parallel with agent selection, scope, and mode prompts.
+    const ownerRepoForAudit = getOwnerRepo(parsed);
+    const auditPromise = ownerRepoForAudit
+      ? fetchAuditData(
+          ownerRepoForAudit,
+          selectedSkills.map((s) => getSkillDisplayName(s))
+        )
+      : Promise.resolve(null);
+
     let targetAgents: AgentType[];
     const validAgents = Object.keys(agents);
 
@@ -1760,6 +1862,27 @@ export async function runAdd(args: string[], options: AddOptions = {}): Promise<
     console.log();
     p.note(summaryLines.join('\n'), 'Installation Summary');
 
+    // Await and display security audit results (started earlier in parallel)
+    // Wrapped in try/catch so a failed audit fetch never blocks installation.
+    try {
+      const auditData = await auditPromise;
+      if (auditData && ownerRepoForAudit) {
+        const securityLines = buildSecurityLines(
+          auditData,
+          selectedSkills.map((s) => ({
+            slug: getSkillDisplayName(s),
+            displayName: getSkillDisplayName(s),
+          })),
+          ownerRepoForAudit
+        );
+        if (securityLines.length > 0) {
+          p.note(securityLines.join('\n'), 'Security Risk Assessments');
+        }
+      }
+    } catch {
+      // Silently skip — security info is advisory only
+    }
+
     if (!options.yes) {
       const confirmed = await p.confirm({ message: 'Proceed with installation?' });
 

src/telemetry.ts

@@ -1,4 +1,5 @@
 const TELEMETRY_URL = 'https://add-skill.vercel.sh/t';
+const AUDIT_URL = 'https://add-skill.vercel.sh/audit';
 
 interface InstallTelemetryData {
   event: 'install';
@@ -75,6 +76,50 @@ export function setVersion(version: string): void {
   cliVersion = version;
 }
 
+// ─── Security audit data ───
+
+export interface PartnerAudit {
+  risk: 'safe' | 'low' | 'medium' | 'high' | 'critical' | 'unknown';
+  alerts?: number;
+  score?: number;
+  analyzedAt: string;
+}
+
+export type SkillAuditData = Record<string, PartnerAudit>;
+export type AuditResponse = Record<string, SkillAuditData>;
+
+/**
+ * Fetch security audit results for skills from the audit API.
+ * Returns null on any error or timeout — never blocks installation.
+ */
+export async function fetchAuditData(
+  source: string,
+  skillSlugs: string[],
+  timeoutMs = 3000
+): Promise<AuditResponse | null> {
+  if (skillSlugs.length === 0) return null;
+
+  try {
+    const params = new URLSearchParams({
+      source,
+      skills: skillSlugs.join(','),
+    });
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+
+    const response = await fetch(`${AUDIT_URL}?${params.toString()}`, {
+      signal: controller.signal,
+    });
+    clearTimeout(timeout);
+
+    if (!response.ok) return null;
+    return (await response.json()) as AuditResponse;
+  } catch {
+    return null;
+  }
+}
+
 export function track(data: TelemetryData): void {
   if (!isEnabled()) return;