Add referenced last30days catalog entry

This commit is contained in:
Dotta
2026-06-04 20:01:25 +00:00
parent 1227bb8ead
commit bee2b25f5d
17 changed files with 1276 additions and 49 deletions
@@ -1,6 +1,5 @@
import { describe, expect, it } from "vitest";
import { catalogManifest, catalogSkills, resolveCatalogSkillRef } from "./index.js";
import type { CatalogSkill } from "./types.js";
const EXPECTED_BUNDLED_KEYS = [
"paperclipai/bundled/docs/doc-maintenance",
@@ -15,6 +14,7 @@ const EXPECTED_OPTIONAL_KEYS = [
"paperclipai/optional/browser/agent-browser",
"paperclipai/optional/content/release-announcement",
"paperclipai/optional/product/design-critique",
"paperclipai/optional/research/last30days",
];
describe("shipped skills catalog", () => {
@@ -32,12 +32,14 @@ describe("shipped skills catalog", () => {
expect(optionalKeys).toEqual(EXPECTED_OPTIONAL_KEYS);
});
it("keeps every shipped skill free of executable scripts until script-bearing skills clear security review", () => {
// The real install-time security boundary (server assertCatalogSkillInstallable) blocks
// only "scripts_executables". Static assets (svg/html templates, e.g. the wireframe skill)
// carry the "assets" trust level and are installable, so they are allowed in the catalog.
it("keeps script-bearing shipped skills explicit so install stays audit-gated", () => {
// The real install-time security boundary audits materialized bytes and blocks
// hard-stop findings. Static assets (svg/html templates, e.g. the wireframe skill)
// carry the "assets" trust level and are installable.
const scriptBearing = catalogSkills.filter((skill) => skill.trustLevel === "scripts_executables");
expect(scriptBearing, formatViolations("script-bearing skills require security review", scriptBearing)).toEqual([]);
expect(scriptBearing.map((skill) => skill.key)).toEqual([
"paperclipai/optional/research/last30days",
]);
});
it("populates browse/search-relevant fields for every shipped skill", () => {
@@ -86,9 +88,3 @@ describe("shipped skills catalog", () => {
expect(resolveCatalogSkillRef(sample.slug)).toMatchObject({ key: sample.key });
});
});
function formatViolations(label: string, skills: CatalogSkill[]) {
if (skills.length === 0) return label;
const detail = skills.map((skill) => `${skill.key} (${skill.trustLevel})`).join(", ");
return `${label}: ${detail}`;
}