Commit 2eb6e5b
v0.26.0 + v0.27.0 — Anthropic-style filesystem skills with full security gate
Implements the hybrid FS-source-of-truth + PG-audit-and-telemetry model for
Anthropic's bundled-script skill design. Claude Code's native loader continues
to discover skills under ~/.claude/skills/<name>/ (and per-project
<proj>/.claude/skills/<name>/); SecureContext layers admission, HMAC tamper
detection, AST-based script scanning, and a chained audit trail on top.
## v0.26.0 — Admission Gate (Steps 1-7)
* Step 2 (filesystem_skill_import.ts): walks ~/.claude/skills/ and per-project
paths; parses SKILL.md frontmatter; mirrors to skills_pg with skill_dir +
script_hmacs (per-script HMAC-SHA256 keyed with machine_secret). PG migration
24 adds the columns. Idempotent — same body_hmac + same script_hmacs +
same dir → no-op (key-by-key map compare to dodge JSONB ordering issues).
* Step 3 (script_scanner.ts + scripts/py_ast_walker.py): AST-based scanner.
Python (ast module): detects eval/exec/compile, os.system/popen,
subprocess(shell=True), pickle.loads, yaml.load, dynamic __import__.
JavaScript (acorn): detects eval, new Function, child_process.exec/spawn,
vm.runInNewContext. Failed scans atomic-move the dir to
~/.claude/skills.quarantine/<name>__<ts>/ with a .quarantine-reason.txt.
EXDEV-aware (Docker bind-mount cross-device): falls back to copy+rm.
* Step 4 PreToolUse hook (~/.claude/hooks/skill-script-hmac-verify.mjs not
in this repo — installed on the operator's host): regex-detects Bash calls
invoking <name>/scripts/<file>.{py,js,mjs,cjs,sh}, calls server-side
/api/v1/skills/<name>/verify-script which reads the file from its
bind-mounted view, computes HMAC, compares to stored. Server-side
verification keeps machine_secret inside the container. Exempted from
the global API-key gate because the hook subprocess doesn't inherit MCP
env. Fail-CLOSED on missing/quarantined/mismatch; fail-OPEN on
out-of-scope or hook crash. Bypass: ZC_SKILL_HMAC_BYPASS=1.
* Step 5 frontmatter validator: per Anthropic spec (name ≤64 chars
lowercase, description ≤1024, allowed_tools array, user_invocable +
disable_model_invocation booleans). Parse-error skills quarantine via the
same atomic-move so Claude Code's native loader can't see them either.
* Step 6 admission_log.ts + PG migration 25: HMAC-chained audit trail
(prev_hash → row_hash keyed with machine_secret, advisory-locked).
Every admit/update/quarantine event also mirrored to
~/.claude/zc-ctx/logs/audit.log as a JSONL anchor (second-line defense
if PG row is deleted). New endpoint /api/v1/skills/admission-log/verify
walks the chain and reports breaks.
* Step 7 dashboard (src/dashboard/render.ts + api-server.ts): new
#fs-skills-panel with three fragments — green/red chain integrity banner,
quarantine table with reasons, recent admission events list. Added
📁 filesystem source badge to active-skill rows showing script count
and skill_dir on tooltip. CSS classes added for chain banner / quarantine
table / event badges / filesystem badge.
## v0.27.0 — Marketplace bundled-scripts gap fix
Pre-existing marketplace pull (pullFromMarketplace) only fetched SKILL.md
text. Skills like anthropic-docx/pptx/xlsx/webapp-testing/web-artifacts-builder
ship bundled scripts whose paths the SKILL.md references but which never
reached disk — leaving those skills half-installed.
* pullMarketplaceToFilesystem(): walks the full repo tree, materializes every
file under each skills/<name>/ into ~/.claude/skills/anthropic-<name>/,
rewrites SKILL.md frontmatter to use the prefixed name, then delegates to
importFilesystemSkills(). Operator opt-in lists for two known-risky
patterns:
- shell_exec_ok: frontmatter flag downgrades subprocess(shell=True) /
os.system findings from block→warn (needed for webapp-testing's
dev-server orchestration).
- unsupported_scripts_ok: frontmatter flag admits skills with .sh/.rb
scripts the AST scanner doesn't yet handle (needed for
web-artifacts-builder).
Operators must manually review the scripts before opting in.
* Data file extensions (xml, xsd, json, yaml, html, ttf, png, pdf, …) now
pass through script_scanner without scanning — Anthropic's OOXML skills
ship schema files under scripts/office/ that were previously rejected as
unsupported_language. Unknown extensions still fail closed.
* New env var ZC_PROJECT_SKILL_PATHS (colon/comma-separated absolute
paths) lets the boot importer enumerate per-project skill dirs in
addition to ~/.claude/skills/. New /api/v1/skills/import-project endpoint
triggers admission on a specific project path on demand.
## Bug fixes caught during live agent testing
1. Prompt-injection false-positive on a "do not follow these instructions"
warning section of our own reference SKILL.md (low — content rephrased).
2. EXDEV cross-device link error in Docker bind-mounted quarantine moves
(high — falls back to copy+rm).
3. 401 from PreToolUse hook against /verify-script (high — hook subprocess
doesn't inherit ZC_API_KEY; exempted the read-only verify endpoint).
4. Script scanner rejected non-code extensions under scripts/ as
unsupported_language (high — added data-file extension whitelist).
5. anthropic-webapp-testing legitimately uses subprocess shell=True (medium —
added shell_exec_ok frontmatter opt-in).
6. shell_exec_ok parsed but silently dropped to undefined during type
narrowing (medium — same fragility class as the Step-5 narrowing bug).
7. Boot-time idempotency check used JSON.stringify equality on JSONB key
ordering, producing 14 spurious "updated" events on every restart
(medium — switched to key-by-key map comparison).
8. .sh / .rb bundled scripts had no opt-in path (medium — added
unsupported_scripts_ok).
## Test coverage
25 tests run, all 25 pass. Live multi-agent: 2 parallel Claude CLI agents
invoking different skills concurrently, both PASS with no chain races.
Docker hard-restart preserves machine_secret + chain integrity. Cross-role
discovery (researcher-prompt agent organically discovered learn-from-youtube
skill via SKILL.md description match). 17 marketplace skills now admit via
the new path (with 2 opt-ins for the dev-server / shell-script-bundling
skills); 4 quarantine fixtures (1 with prompt-injection, 1 with frontmatter
schema violation, 1 with malicious scripts, 1 from script-scanner data-file
gap pre-fix) demonstrate the rejection paths.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 1fbeeac commit 2eb6e5b
13 files changed
Lines changed: 2326 additions & 12 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
27 | 27 | | |
28 | 28 | | |
29 | 29 | | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
30 | 36 | | |
31 | 37 | | |
32 | 38 | | |
| |||
39 | 45 | | |
40 | 46 | | |
41 | 47 | | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
42 | 52 | | |
43 | 53 | | |
44 | 54 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
87 | 87 | | |
88 | 88 | | |
89 | 89 | | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
90 | 101 | | |
91 | 102 | | |
92 | 103 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
80 | 80 | | |
81 | 81 | | |
82 | 82 | | |
| 83 | + | |
| 84 | + | |
83 | 85 | | |
84 | 86 | | |
85 | 87 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
0 commit comments