Skip to content

Feat/dart native skills install#481

Merged
divyanshub024 merged 6 commits into
StacDev:devfrom
Pratikdate:feat/dart-native-skills-install
Jun 25, 2026
Merged

Feat/dart native skills install#481
divyanshub024 merged 6 commits into
StacDev:devfrom
Pratikdate:feat/dart-native-skills-install

Conversation

@Pratikdate

@Pratikdate Pratikdate commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Description

This PR implements a Dart/Flutter-native path for installing Stac skills without requiring Node, npm, or npx, addressing issue #479 (or the relevant issue ID). It adds a new stac skills add CLI command and integrates it into the stac init flow.

Key Changes

  • New Command (stac skills add):
    • Download and extraction of repository ZIP archive using dio and archive.
    • Parses skills/catalog.json from the repository root to find registered skills.
    • Copies specific skill directories to .agents/skills relative to the target directory.
    • Cleans up all downloaded temporary files reliably.
  • Enhanced Security:
    • Prevents path-traversal attacks by validating skillName and skillPath against patterns like .., absolute paths, and backslashes, ensuring all extractions stay within boundaries.
  • Project Initialization Integration:
    • stac init now prompts the user to optionally install Stac agent skills as part of the setup flow.
  • Tests & Documentation:
    • Added unit tests verifying command registration, subcommand registration, and AddCommand attributes.
    • Updated docs/skills.mdx to prioritize the native CLI pathway over npx.

Related Issues

Closes #479 (or insert the correct issue number here)

Type of Change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Code refactor
  • Build configuration change
  • Documentation
  • Chore

Summary by CodeRabbit

  • New Features
    • Added the stac skills add command to install Stac AI agent skills into your project.
    • Project initialization now includes a guided prompt to install skills during setup.
    • Skills installation adds safer handling for supported repository sources and destination paths, with clear progress and error reporting.
  • Documentation
    • Updated skills installation instructions to use stac skills add, including an alternative npx-based command.

@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a693706-4299-4bf1-89f7-098a6553e6c4

📥 Commits

Reviewing files that changed from the base of the PR and between 617e321 and cc5ee8b.

📒 Files selected for processing (1)
  • packages/stac_cli/lib/src/commands/skills/add_command.dart
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/stac_cli/lib/src/commands/skills/add_command.dart

📝 Walkthrough

Walkthrough

Adds stac skills add for installing Stac agent skills from a GitHub ZIP, wires the new skills command into the CLI and init flow, adds the archive dependency, and updates the skills installation docs.

Changes

Skills installation feature

Layer / File(s) Summary
AddCommand and copy flow
packages/stac_cli/pubspec.yaml, packages/stac_cli/lib/src/commands/skills/add_command.dart
AddCommand downloads and extracts the repo ZIP, reads skills/catalog.json, validates catalog entries and path bounds, copies skill directories into <targetDirectory>/.agents/skills/, removes temp files, and returns 0/1. archive is added to pubspec.yaml.
Skills command wiring
packages/stac_cli/lib/src/commands/skills_command.dart, packages/stac_cli/bin/stac_cli.dart
SkillsCommand defines the skills command group and registers AddCommand; the CLI runner imports and registers SkillsCommand.
Init prompt for skills install
packages/stac_cli/lib/src/commands/init_command.dart
InitCommand prompts to install skills during initialization, runs AddCommand in the target directory when accepted, and warns on a non-zero exit code.
Skills install docs
docs/skills.mdx
Installation instructions now show stac skills add as the primary path and npx as an alternative.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

Possibly related PRs

  • StacDev/stac#446: Both PRs touch docs/skills.mdx and the Stac Skills documentation flow.

Suggested reviewers

  • Potatomonsta

Poem

🐇 Hop hop, a new skill path is near,
ZIPs and catalogs make the way clear.
The CLI hums, then the init bells ring,
Into .agents/skills the helpers spring.
stac skills add — a tidy little fling!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR adds skills installation features, but linked issue #479 requires a local stac dev workflow and related CLI/runtime changes. Implement the stac dev workflow requirements in #479, including local serving, watch/rebuild, device URLs, and apiBaseUrl support.
Out of Scope Changes check ⚠️ Warning Most changes are unrelated to the linked stac dev objective and focus instead on skills installation and init flow. Remove the skills-install changes or retarget the PR to the matching issue so the diff aligns with the linked stac dev scope.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a Dart-native skills install flow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
packages/stac_cli/test/commands/cli_commands_test.dart (1)

76-87: 🏗️ Heavy lift

Behavior-critical AddCommand paths still need focused tests.

Current tests validate metadata only. Please add cases for traversal rejection, invalid catalog entries, and temp-dir cleanup in finally so regressions in install safety are caught.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stac_cli/test/commands/cli_commands_test.dart` around lines 76 - 87,
Add focused unit tests in packages/stac_cli/test/commands/cli_commands_test.dart
for AddCommand that exercise its runtime behavior (not just metadata): add a
test that simulates filesystem traversal attempting to escape the target
directory and assert the command rejects it (reference AddCommand's
traversal/validation logic), add a test that supplies invalid/malformed catalog
entries and asserts the command fails with the expected error handling path
(reference the parsing/validation routine used by AddCommand), and add a test
that forces an error during install to verify the temporary directory is always
deleted in the finally/cleanup block (assert temp-dir does not remain after
failure). Ensure each test constructs AddCommand, invokes the same execution
method used by the CLI (e.g., run/execute), stubs/mocks IO as needed, and
asserts both the failure mode and that cleanup code ran.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/stac_cli/lib/src/commands/skills/add_command.dart`:
- Around line 111-120: The loop that reads catalog entries uses skill['name']
and skill['path'] without type-checking and then casts to String for
_containsPathTraversal, which can throw on non-string values; update the loop in
add_command.dart to first check that skillName and skillPath are Strings (e.g.,
skill['name'] is String and skill['path'] is String) before calling
_containsPathTraversal or casting, and if either is not a String skip the entry
(log a warning via ConsoleLogger.warning mentioning the malformed entry) so a
single bad catalog item cannot abort the install flow.
- Around line 130-137: Replace the fragile prefix check on canonicalized paths
(sourceCanonical.startsWith(repoRootCanonical)) with a robust containment test
using path.isWithin(repoRootCanonical, sourceCanonical) or equality check to
ensure the source is either equal to or strictly inside the repo root; update
the same logic where target/skill paths are validated. In addition, harden
_copyDirectory to avoid symlink traversal by calling Directory.list(...,
followLinks: false) and explicitly handling Link/File/Directory entities
(resolving or skipping links) so you never recursively follow symlinks that
could escape repo/target boundaries; ensure any copied path is re-canonicalized
and validated with path.isWithin before writing to the destination.

---

Nitpick comments:
In `@packages/stac_cli/test/commands/cli_commands_test.dart`:
- Around line 76-87: Add focused unit tests in
packages/stac_cli/test/commands/cli_commands_test.dart for AddCommand that
exercise its runtime behavior (not just metadata): add a test that simulates
filesystem traversal attempting to escape the target directory and assert the
command rejects it (reference AddCommand's traversal/validation logic), add a
test that supplies invalid/malformed catalog entries and asserts the command
fails with the expected error handling path (reference the parsing/validation
routine used by AddCommand), and add a test that forces an error during install
to verify the temporary directory is always deleted in the finally/cleanup block
(assert temp-dir does not remain after failure). Ensure each test constructs
AddCommand, invokes the same execution method used by the CLI (e.g.,
run/execute), stubs/mocks IO as needed, and asserts both the failure mode and
that cleanup code ran.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c18dbf50-3131-4008-9aa7-9e634c67460b

📥 Commits

Reviewing files that changed from the base of the PR and between 29491d8 and 30d4eb6.

⛔ Files ignored due to path filters (1)
  • packages/stac_cli/pubspec.lock is excluded by !**/*.lock
📒 Files selected for processing (8)
  • docs/skills.mdx
  • packages/stac_cli/bin/stac_cli.dart
  • packages/stac_cli/lib/src/commands/init_command.dart
  • packages/stac_cli/lib/src/commands/skills/add_command.dart
  • packages/stac_cli/lib/src/commands/skills_command.dart
  • packages/stac_cli/pubspec.yaml
  • packages/stac_cli/test/commands/cli_commands_test.dart
  • packages/stac_cli/test/utils/file_utils_test.dart

Comment thread packages/stac_cli/lib/src/commands/skills/add_command.dart
Comment thread packages/stac_cli/lib/src/commands/skills/add_command.dart
@Potatomonsta

Copy link
Copy Markdown
Contributor

Hey @Pratikdate
I noticed this PR includes quite a few commits from the unit-tests PR (8f8f208, 4db325e, etc.).
Can you please drop those from this branch so this PR only contains the skills install changes?

@Pratikdate

Copy link
Copy Markdown
Contributor Author

Thanks for catching that. Those commits were pulled in accidentally when I branched off the wrong base.

I'll clean up the branch and remove the unit-tests commits (8f8f208, 4db325e, etc.) so the PR only contains the skills install changes. I'll update the PR shortly.

- Add SkillsCommand with 'stac skills add' subcommand
- AddCommand fetches repo ZIP, parses skills/catalog.json,
  and copies skill dirs into .agents/skills/ — no Node/npm required
- Prompt users in 'stac init' to optionally install agent skills
- Register SkillsCommand in the CLI runner
- Add archive: ^4.0.9 dependency for ZIP extraction
- Update docs/skills.mdx to show Dart-native path first,
  keeping npx as an alternative
- Add tests for SkillsCommand and AddCommand (7 tests pass)

Closes StacDev#480
- Move tempDir cleanup into finally block so temp files are always
  removed even on early return or exception
- Validate skillName and skillPath from catalog.json to prevent
  path-traversal attacks (reject '..', absolute paths, backslashes,
  and enforce canonical boundary checks)
- Accept optional targetDirectory in AddCommand so stac init installs
  skills into the correct project directory, not Directory.current
- Handle non-zero exit from AddCommand in init with a warning instead
  of silently printing success
- Assert non-null and correct type before casting in test to give
  cleaner failure output
@Pratikdate Pratikdate force-pushed the feat/dart-native-skills-install branch from 35a4a5f to 617e321 Compare June 15, 2026 15:56
@Pratikdate

Copy link
Copy Markdown
Contributor Author

Hii @Potatomonsta ,
I've cleaned up the branch and removed the unrelated unit-test commits that were pulled in by mistake. The PR should now contain only the skills install changes.

@Potatomonsta Potatomonsta left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Pratikdate
Could you please review my PR comments? It looks like the add command is trying to access skills/catalog.json before the repository extraction finishes. The extraction call appears to be asynchronous and not awaited, which may be causing the failure.

Comment thread packages/stac_cli/lib/src/commands/skills/add_command.dart Outdated
@divyanshub024

Copy link
Copy Markdown
Member

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@divyanshub024 divyanshub024 merged commit e3bd43c into StacDev:dev Jun 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants