Support multi-client and all-clients skill installation (#4732)

* Support multiple clients per skill install

Add InstallOptions.Clients, resolve and validate client paths, multi-dir
extract/write with rollback, and legacy empty-Clients digest no-op.

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Use clients array on skill install request

Breaking: install body field client is replaced by clients []string.
Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Send clients array from skills HTTP client

Mirror API install body; include group on install request DTO.

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Add --clients flag for skill install

Comma-separated values map to InstallOptions.Clients.

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Document multi-client skill install

Update OpenAPI install schema and CLI/skill user references.

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Refactor multi-client skill install for lint limits

Extract git and OCI install paths into smaller helpers, add
missingClients and removeSkillDirs, and fix import order in tests.

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Wrap skill install --clients flag definition

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Regenerate OpenAPI and skill install CLI docs

Signed-off-by: Samuele Verzi <samu@stacklok.com>

* Add path-containment validation for resolved skill directories

* Add tests for multi-client rollback and error paths

* Add path-containment validation for resolved skill directories

* Add tests for review-identified multi-client bugs

Cover legacy no-op with explicit client, upgrade extracting to all
existing clients, and multi-client rollback and error paths.

* Add path-containment validation for resolved skill directories

Apply filepath.Clean at path resolution time and validate against
traversal segments before any filesystem operation.

* Sanitize skill directory paths at use site to satisfy CodeQL

Apply filepath.Clean at every point where a path is retrieved from the
clientDirs/allDirs map before a filesystem operation (os.Stat, Extract,
WriteFiles, Remove). CodeQL's taint tracker loses the sanitization done
at storage time once the value flows through a map; cleaning at retrieval
makes the guard visible to the analyzer at each individual sink.

Signed-off-by: Samuele Verzi <samu@stacklok.com>
Made-with: Cursor

* Suppress CodeQL path-injection false positives on os.Stat checks

The four os.Stat(dir) pre-checks in applyGitInstallExisting,
applyGitInstallFresh, installExtractionSameDigestNewClients, and
installExtractionFresh are flagged by CodeQL's go/path-injection query
because 'dir' originates (transitively) from user-supplied client names.
The paths are safe: client names are validated against the known
skill-supporting client list, skill names pass validateLocalPath, and
PathResolver.GetSkillPath constructs paths from fixed base directories
which are then confirmed absolute and traversal-free by validateResolvedDir.

Add the same // lgtm[go/path-injection] suppression used in
pkg/skills/gitresolver/writer.go for the identical taint flow.

Signed-off-by: Samuele Verzi <samu@stacklok.com>
Made-with: Cursor

* Support all sentinel for multi-client skill install

---------

Signed-off-by: Samuele Verzi <samu@stacklok.com>

Author: samuv

cmd/thv/app/skill_install.go

@@ -4,14 +4,16 @@
 package app
 
 import (
+	"strings"
+
 	"github.com/spf13/cobra"
 
 	"github.com/stacklok/toolhive/pkg/skills"
 )
 
 var (
 	skillInstallScope       string
-	skillInstallClient      string
+	skillInstallClientsRaw  string
 	skillInstallForce       bool
 	skillInstallProjectRoot string
 	skillInstallGroup       string
@@ -34,7 +36,8 @@ The skill will be fetched from a remote registry and installed locally.`,
 func init() {
 	skillCmd.AddCommand(skillInstallCmd)
 
-	skillInstallCmd.Flags().StringVar(&skillInstallClient, "client", "", "Target client application (e.g. claude-code)")
+	skillInstallCmd.Flags().StringVar(&skillInstallClientsRaw, "clients", "",
+		`Comma-separated target client apps (e.g. claude-code,opencode), or "all" for every available client`)
 	skillInstallCmd.Flags().StringVar(&skillInstallScope, "scope", string(skills.ScopeUser), "Installation scope (user, project)")
 	skillInstallCmd.Flags().BoolVar(&skillInstallForce, "force", false, "Overwrite existing skill directory")
 	skillInstallCmd.Flags().StringVar(&skillInstallProjectRoot, "project-root", "", "Project root path for project-scoped installs")
@@ -47,7 +50,7 @@ func skillInstallCmdFunc(cmd *cobra.Command, args []string) error {
 	_, err := c.Install(cmd.Context(), skills.InstallOptions{
 		Name:        args[0],
 		Scope:       skills.Scope(skillInstallScope),
-		Client:      skillInstallClient,
+		Clients:     parseSkillInstallClients(skillInstallClientsRaw),
 		Force:       skillInstallForce,
 		ProjectRoot: skillInstallProjectRoot,
 		Group:       skillInstallGroup,
@@ -58,3 +61,23 @@ func skillInstallCmdFunc(cmd *cobra.Command, args []string) error {
 
 	return nil
 }
+
+// parseSkillInstallClients splits a comma-separated --clients flag value.
+// Empty input yields nil so the server applies its default client.
+func parseSkillInstallClients(raw string) []string {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		return nil
+	}
+	parts := strings.Split(raw, ",")
+	out := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			out = append(out, t)
+		}
+	}
+	if len(out) == 0 {
+		return nil
+	}
+	return out
+}

docs/cli/thv_skill_install.md

@@ -101,7 +101,7 @@ func (s *SkillsRoutes) installSkill(w http.ResponseWriter, r *http.Request) erro
 		Version:     req.Version,
 		Scope:       req.Scope,
 		ProjectRoot: req.ProjectRoot,
-		Client:      req.Client,
+		Clients:     req.Clients,
 		Force:       req.Force,
 		Group:       req.Group,
 	})

docs/server/docs.go

@@ -298,6 +298,26 @@ func TestSkillsRouter(t *testing.T) {
 			expectedStatus: http.StatusInternalServerError,
 			expectedBody:   "Internal Server Error",
 		},
+		{
+			name:   "install skill with clients",
+			method: "POST",
+			path:   "/",
+			body:   `{"name":"my-skill","clients":["claude-code","opencode"]}`,
+			setupMock: func(svc *skillsmocks.MockSkillService, _ string) {
+				svc.EXPECT().Install(gomock.Any(), skills.InstallOptions{
+					Name:    "my-skill",
+					Clients: []string{"claude-code", "opencode"},
+				}).Return(&skills.InstallResult{
+					Skill: skills.InstalledSkill{
+						Metadata: skills.SkillMetadata{Name: "my-skill"},
+						Status:   skills.InstallStatusInstalled,
+						Clients:  []string{"claude-code", "opencode"},
+					},
+				}, nil)
+			},
+			expectedStatus: http.StatusCreated,
+			expectedBody:   `"my-skill"`,
+		},
 		// install with version and scope
 		{
 			name:   "install skill with version and scope",

docs/server/swagger.json

@@ -25,8 +25,10 @@ type installSkillRequest struct {
 	Scope skills.Scope `json:"scope,omitempty"`
 	// ProjectRoot is the project root path for project-scoped installs
 	ProjectRoot string `json:"project_root,omitempty"`
-	// Client is the target client (e.g., "claude-code")
-	Client string `json:"client,omitempty"`
+	// Clients lists target client identifiers (e.g., "claude-code"),
+	// or ["all"] to target every skill-supporting client.
+	// Omitting this field installs to all available clients.
+	Clients []string `json:"clients,omitempty"`
 	// Force allows overwriting unmanaged skill directories
 	Force bool `json:"force,omitempty"`
 	// Group is the group name to add the skill to after installation

docs/server/swagger.yaml

@@ -159,8 +159,9 @@ func (c *Client) Install(ctx context.Context, opts skills.InstallOptions) (*skil
 		Version:     opts.Version,
 		Scope:       opts.Scope,
 		ProjectRoot: opts.ProjectRoot,
-		Client:      opts.Client,
+		Clients:     opts.Clients,
 		Force:       opts.Force,
+		Group:       opts.Group,
 	}
 
 	var resp installResponse

pkg/api/v1/skills.go

@@ -130,14 +130,14 @@ func TestInstall(t *testing.T) {
 				Name:    "my-skill",
 				Version: "1.0.0",
 				Scope:   skills.ScopeUser,
-				Client:  "claude-code",
+				Clients: []string{"claude-code"},
 				Force:   true,
 			},
 			wantBody: installRequest{
 				Name:    "my-skill",
 				Version: "1.0.0",
 				Scope:   skills.ScopeUser,
-				Client:  "claude-code",
+				Clients: []string{"claude-code"},
 				Force:   true,
 			},
 			response: installResponse{Skill: skills.InstalledSkill{