Context
Follow-up from PR #19 review thread (discussion_r3361754518).
The Qodo bot flagged that renderShowResult's footer hint (→ vendor it: skillrig add <name>) claims to be a runnable command, but appends the raw catalog name directly. A name that begins with - or contains spaces would break the suggested command (cobra flag parsing / shell splitting), violating the "footer is a runnable next-step" contract.
PR #19 added consume-side defense-in-depth (running the name through sanitizeTerminal before printing), but the robust place to guarantee the invariant is at ingestion, which is out of scope for that consume-only PR.
The invariant
The agentskills.io spec constrains name to: lowercase letters, numbers and hyphens only, max 64 chars, must not start or end with a hyphen, and no consecutive hyphens (so no spaces, no leading -, no uppercase).
For any spec-conformant origin, the footer skillrig add <name> is therefore always shell/cobra-safe — the leading-dash / space concern only materializes for a non-conformant catalog.
Proposed work
Enforce the slug pattern origin-side so a non-conformant name is rejected at the source rather than papered over on every consumer:
This narrows validateSkillName in skillcore from "single path segment" to the full agentskills.io slug rule.
Spec refs
Filed as the follow-up promised in #19 (comment).
Context
Follow-up from PR #19 review thread (discussion_r3361754518).
The Qodo bot flagged that
renderShowResult's footer hint (→ vendor it: skillrig add <name>) claims to be a runnable command, but appends the raw catalognamedirectly. A name that begins with-or contains spaces would break the suggested command (cobra flag parsing / shell splitting), violating the "footer is a runnable next-step" contract.PR #19 added consume-side defense-in-depth (running the name through
sanitizeTerminalbefore printing), but the robust place to guarantee the invariant is at ingestion, which is out of scope for that consume-only PR.The invariant
The agentskills.io spec constrains
nameto: lowercase letters, numbers and hyphens only, max 64 chars, must not start or end with a hyphen, and no consecutive hyphens (so no spaces, no leading-, no uppercase).For any spec-conformant origin, the footer
skillrig add <name>is therefore always shell/cobra-safe — the leading-dash / space concern only materializes for a non-conformant catalog.Proposed work
Enforce the slug pattern origin-side so a non-conformant
nameis rejected at the source rather than papered over on every consumer:nameslug pattern inParseManifest(reject non-conformant names with an errors-as-navigation message stating the rule + offending value).index(andlint, when it lands) reject a catalog containing a non-conformantname.ParseManifest/index/lint(AP-04), not a parallel copy.This narrows
validateSkillNameinskillcorefrom "single path segment" to the full agentskills.io slug rule.Spec refs
Filed as the follow-up promised in #19 (comment).