mirror of
https://github.com/browseros-ai/BrowserOS.git
synced 2026-05-13 15:46:22 +00:00
59b00a6837
* feat: add remote skill download and auto-sync Download default skills from remote catalog on first setup with bundled fallback when offline. Background sync every 45 minutes checks for new/updated skills without overwriting user-customized ones. Tracks installed defaults via content hashes in a local manifest file. * feat: make skills catalog URL configurable and add generation script Add SKILLS_CATALOG_URL env var (following CODEGEN_SERVICE_URL pattern) with fallback to the default constant. Add script to generate catalog.json from bundled defaults for static hosting. * feat: add R2 upload script and use cdn.browseros.com for catalog URL Add upload-skills-catalog.ts that generates and uploads catalog.json to Cloudflare R2 (same infra as existing build artifacts). Update default catalog URL to cdn.browseros.com/skills/v1/catalog.json. * test: add E2E tests for remote skill sync against live CDN * fix: address code review findings — security, validation, DRY - Add path traversal protection via safeSkillDir in writeSkillFile and readSkillContent (reuses existing validation from service.ts) - Add runtime type guards for catalog JSON and manifest JSON parsing - Fix seedFromRemote to return false on partial failure so bundled fallback kicks in - Add per-skill error handling in syncRemoteSkills so one bad skill doesn't crash the entire sync - Wire stopSkillSync into Application.stop() shutdown path - Extract version from frontmatter in seedFromBundled instead of hardcoding '1.0' - Consolidate duplicated logic: reuse installSkill/writeSkillFile/ contentHash/saveManifest from remote-sync.ts in seed.ts - Extract shared catalog generation into scripts/catalog-utils.ts * test: add flow tests for all four sync scenarios against live CDN * refactor: remove redundant scripts and inline catalog generation Drop generate-skills-catalog.ts, catalog-utils.ts, and e2e-remote-sync.test.ts (covered by flows.test.ts). Inline catalog generation into upload-skills-catalog.ts. * test: add full E2E server flow test against live CDN Tests all 7 steps of the real server lifecycle: fresh seed from CDN, no-op sync, user edit preservation, skill reinstall, custom skill protection, background timer firing, and second startup skip. * chore: remove e2e-server-flow test * fix: address Greptile review — entry validation, size limit, DRY, no-op saves - Validate individual skill entries in catalog (id, version, content must all be strings) not just the top-level shape - Add 1MB response size limit on catalog fetch to prevent resource exhaustion from compromised/misconfigured CDN - Skip manifest save when sync cycle had no changes (avoids unnecessary disk I/O every 45 minutes) - Share extractVersion via remote-sync.ts export, remove duplicate from seed.ts * fix: prevent bundled fallback from overwriting partial remote seeds When seedFromRemote partially fails, the bundled fallback now skips skills already in the manifest (installed by the partial remote seed). Also adds Content-Length early check before downloading the full catalog response body. * fix: run sync immediately on startup, not just on interval Previously the first sync fired 45 minutes after boot. Now startSkillSync runs one sync immediately so returning users get skill updates right away. * refactor: simplify sync — remote always wins, remove manifest Remote catalog is the source of truth. If a skill exists in the catalog, its version is compared against local frontmatter and overwritten when newer. No manifest file, no content hashes. User-created skills (IDs not in catalog) are never touched. * fix: skip bundled skills already installed by partial remote seed * chore: remove unreliable Content-Length check * chore: remove size limit checks, fetch timeout is sufficient