Fix schema validation, dark mode guard, and path traversal check

Schema: add if/then conditional rules to interactionStep requiring
selector for click/hover/wait/scroll and script for eval actions.

Capture: add null guard for defaults.dark.ready in switchToDark and
switchToLight with descriptive error messages.

Serve: fix path traversal prefix check to prevent sibling directory
matching (e.g., C:\foo matching C:\foobar).

Docs: remove leftover "pre-rendered site path" reference in SKILL.md,
fix "Three source types" → "Two source types" in manifest-schema.md.

Author: cderv

.claude/skills/screenshot/SKILL.md

@@ -44,7 +44,7 @@ Gather these parameters (ask about unknowns, infer from context when obvious):
 | Parameter | Values / Notes |
 |-----------|---------------|
 | Source type | `url` (live site), `example` (Quarto project — render then serve) |
-| Source detail | URL, example project path (create minimal project if needed), or pre-rendered site path |
+| Source detail | URL or example project path (create minimal project if needed) |
 | Viewport | navbar=1440x400, sidebar=992x600, about=1200x900, full page=1440x900 |
 | Zoom | Default 1.0; use 1.15 for about pages or excess internal padding |
 | Element | CSS selector if capturing a specific element; omit for full viewport |

.claude/skills/screenshot/manifest-schema.md

@@ -63,7 +63,7 @@ Each entry in the `screenshots` array defines one screenshot to capture.
 
 ### `source`
 
-Three source types:
+Two source types:
 
 **`example`** — a Quarto project that capture.js will **render then serve**:
 ```json

tools/screenshots/capture.js

@@ -275,6 +275,9 @@ function darkOutputPath(outputPath) {
 // Switch to dark mode via JS (avoids toggle visibility issues at narrow viewports)
 async function switchToDark(page) {
   const darkConfig = manifest.defaults.dark;
+  if (!darkConfig?.ready) {
+    throw new Error('defaults.dark.ready must be configured when screenshots use "dark": true');
+  }
   await page.evaluate(() => {
     if (typeof window.quartoToggleColorScheme !== 'function') {
       throw new Error('quartoToggleColorScheme not found — page may not support dark mode');
@@ -290,6 +293,9 @@ async function switchToDark(page) {
 // Switch back to light mode
 async function switchToLight(page) {
   const darkConfig = manifest.defaults.dark;
+  if (!darkConfig?.ready) {
+    throw new Error('defaults.dark.ready must be configured when switching back to light');
+  }
   await page.evaluate(() => {
     if (typeof window.quartoToggleColorScheme !== 'function') {
       throw new Error('quartoToggleColorScheme not found — page may not support dark mode');

tools/screenshots/manifest-schema.json

@@ -67,7 +67,17 @@
           "type": "string",
           "description": "JavaScript for eval action."
         }
-      }
+      },
+      "allOf": [
+        {
+          "if": { "properties": { "action": { "enum": ["click", "hover", "wait", "scroll"] } } },
+          "then": { "required": ["selector"] }
+        },
+        {
+          "if": { "properties": { "action": { "const": "eval" } } },
+          "then": { "required": ["script"] }
+        }
+      ]
     },
     "spotlightConfig": {
       "type": "object",

tools/screenshots/scripts/serve.js

@@ -23,7 +23,8 @@ const server = http.createServer((req, res) => {
   const pathname = decodeURIComponent(new URL(req.url, 'http://localhost').pathname);
   let filePath = path.join(dir, pathname);
   const resolved = path.resolve(filePath);
-  if (!resolved.startsWith(dir + path.sep) && resolved !== dir) {
+  const dirPrefix = dir.endsWith(path.sep) ? dir : dir + path.sep;
+  if (!resolved.startsWith(dirPrefix) && resolved !== dir) {
     res.writeHead(403);
     res.end('Forbidden');
     return;