stacklok / toolhive / 22103270324

push

github

Add skill installer and extractor for OCI artifact extraction (#3835)

* Add skill installer and extractor for OCI artifact extraction

Implement the skill installer that extracts OCI artifact layers to
client skill directories with security validation and managed/unmanaged
detection.

Key changes:
- Add Extract() and Remove() in pkg/skills/installer.go for filesystem
  operations with defense-in-depth security (path traversal prevention,
  symlink validation, permission sanitization, size/count limits)
- Add PathResolver interface to decouple pkg/skills from pkg/client
- Update skillsvc with functional options pattern (WithPathResolver)
  and full Install/Uninstall logic including upgrade detection and
  file cleanup for all clients on uninstall
- Wire PathResolver via clientPathAdapter in API server
- Expose Client and Force fields in install API request

Closes #3649

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address review feedback for skill installer

- Add symlink protection to Remove using Lstat/EvalSymlinks
- Fix cross-platform root detection (filepath.Dir/VolumeName)
- Make Uninstall cleanup best-effort with errors.Join
- Roll back extraction on store Create/Update failure
- Introduce Installer interface for DI and testability

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

280 of 360 new or added lines in 6 files covered. (77.78%)

44877 of 72252 relevant lines covered (62.11%)

77.83 hits per line