feat: implement local registry loader (packages/registry)

[Copilot]

The CLI had no central index for discovering available action packs, skills, and packs. Per the PRD, a packages/registry/ directory with JSON index files is the canonical local source for this metadata.

Changes

New package: @profullstack/sh1pt-registry

• actions.json / skills.json / packs.json — index files listing all built-in entries with name, publisher, version, description, trustLevel, category, and path fields
• src/index.ts — exports loadActionsRegistry(), loadSkillsRegistry(), loadPacksRegistry() with descriptive error wrapping on I/O and parse failures

const actions = await loadActionsRegistry();
// [{ name: 'vu1nz-scan', trustLevel: 'verified', category: 'security', path: 'packages/actions/vu1nz-scan/sh1pt.actionpack.yaml', ... }, ...]

CLI integration

• packages/cli/src/lib/registry.ts — thin re-export so CLI commands import from a stable local path
• packages/cli/package.json — adds @profullstack/sh1pt-registry: workspace:^

Initial registry entries

Type	Entries
actions	vu1nz-scan, node-pnpm-ci, node-pnpm-test
skills	modern-web
packs	(empty, schema ready)

[alwaysmeticulous]

Meticulous was unable to execute a test run for this PR because the most recent commit is associated with multiple PRs. To execute a test run, please try pushing up a new commit that is only associated with this PR.

_{Last updated for commit f505900. This comment will update as new commits are pushed.}

[github-actions]

vu1nz Security Review

1 finding(s) in PR #433

MEDIUM: 1

Findings

Severity	File	Issue	Suggestion
MEDIUM	packages/registry/src/index.ts	Path Traversal Risk in JSON File Loading	Add path validation to ensure filePath parameter cannot escape the intended directory. Consider using path.resolve() and checking that the resolve

Full AI Analysis

Looking at this pull request, I can see it's adding a new registry package that manages local index files for actions, skills, and packs. Let me analyze each component for security vulnerabilities.

Security Analysis

After reviewing the code thoroughly, I found one potential security issue:

Severity	File	Line	Issue	Suggestion
Medium	packages/registry/src/index.ts	44-55	Path Traversal Risk in JSON File Loading	Add path validation to ensure filePath parameter cannot escape the intended directory. Consider using path.resolve() and checking that the resolved path starts with the expected base directory.

Detailed Analysis

The Security Issue

The loadJsonFile function accepts a filePath parameter and directly reads from it without validation. While the current usage appears safe (hardcoded relative paths), the function design could be vulnerable to path traversal if ever used with user-controlled input in the future.

Current usage (safe):

loadJsonFile<ActionRegistryEntry>(join(REGISTRY_DIR, 'actions.json'))

Potential risk: If this function were ever called with user input, it could lead to reading arbitrary files.

What's NOT a Security Issue

✅ Hardcoded file paths - The JSON files (actions.json, skills.json, packs.json) contain static registry data, not secrets

✅ Trust levels - The trustLevel field is descriptive metadata, not an access control mechanism

✅ Workspace dependencies - Using workspace:^ is a standard monorepo pattern and safe

✅ File system operations - Reading from predetermined registry files in the package directory is expected behavior

✅ JSON parsing - Standard JSON.parse() usage with proper error handling

Recommendation

The identified issue is relatively low risk given current usage, but implementing path validation would follow security best practices and prevent future vulnerabilities if the code evolves.