Follow-up from PR #876 post-merge review
Reviewer: River (TypeScript Architect) via @diberry
Original PR: #876
Critical
- No YAML value escaping — skill names/descriptions containing colons, hashes, quotes, or newlines produce invalid YAML in publish() and generateApmYml()
- Hand-rolled YAML parser in installFromGitHub — line-splitting and regex will break on multi-line strings, quoted values with colons. Consider yaml npm package (0 deps, 50KB).
Medium
- catch (err: any) x2 should be catch (err: unknown) with narrowing (skill.ts:1057, 1171)
- as { name: string; path: string } x3 should use type guards (skill.ts:1117, 1125, 1131)
- Non-null assertions (!) x6 — regex groups and array indices not narrowed by TS
- parseFrontMatter returns Record<string, string> — no compile-time contract (skill.ts:819)
- ApmManifest declared but never validated at runtime
Low
- generateApmYml uses sync fs (writeFileSync) while skill.ts is fully async
- Silent error swallowing in collectSkills, readProjectName, listSkills
- 568 lines in one file — needs splitting
Action Items (priority order)
- Add YAML value escaping for all publish/init output paths
- Add unit tests for YAML parsing — at least 5 cases
- Replace catch (err: any) with catch (err: unknown)
- Add parseApmManifest() runtime validator
- Consider yaml npm package vs maintaining regex parser
Also noted by @Omzig
Follow-up from PR #876 post-merge review
Reviewer: River (TypeScript Architect) via @diberry
Original PR: #876
Critical
Medium
Low
Action Items (priority order)
Also noted by @Omzig