feat(dashboard): add skill autocomplete server-side enumeration and client wiring

- Add SkillsMixin with _enumerate_claude_skills and _enumerate_codex_skills - Claude: reads ~/.claude/skills/, parses YAML frontmatter for descriptions - Codex: reads curated cache + ~/.codex/skills/ user directory - Add /api/skills?agent= endpoint to HttpMixin - Add fetchSkills() API helper in dashboard - Wire autocomplete config through Modal -> SessionCard -> SimpleInput - Add getTriggerInfo() for detecting trigger at valid positions Closes: bd-3q1, bd-sv1, bd-3eu, bd-g9t, bd-30p, bd-1ba, bd-2n7, bd-3s3 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-26 15:53:45 -05:00
parent 2926645b10
commit c7db46191c
7 changed files with 266 additions and 7 deletions
--- a/amc_server/mixins/http.py
+++ b/amc_server/mixins/http.py
@@ -62,6 +62,15 @@ class HttpMixin:
                    project_dir = ""
                    agent = "claude"
                self._serve_conversation(urllib.parse.unquote(session_id), urllib.parse.unquote(project_dir), agent)
+            elif self.path == "/api/skills" or self.path.startswith("/api/skills?"):
+                # Parse agent from query params, default to claude
+                if "?" in self.path:
+                    query = self.path.split("?", 1)[1]
+                    params = urllib.parse.parse_qs(query)
+                    agent = params.get("agent", ["claude"])[0]
+                else:
+                    agent = "claude"
+                self._serve_skills(agent)
            else:
                self._json_error(404, "Not Found")
        except Exception:
@@ -73,7 +82,9 @@ class HttpMixin:

    def do_POST(self):
        try:
-            if self.path.startswith("/api/dismiss/"):
+            if self.path == "/api/dismiss-dead":
+                self._dismiss_dead_sessions()
+            elif self.path.startswith("/api/dismiss/"):
                session_id = urllib.parse.unquote(self.path[len("/api/dismiss/"):])
                self._dismiss_session(session_id)
            elif self.path.startswith("/api/respond/"):
@@ -113,7 +124,12 @@ class HttpMixin:
            full_path = DASHBOARD_DIR / file_path
            # Security: ensure path doesn't escape dashboard directory
            full_path = full_path.resolve()
-            if not str(full_path).startswith(str(DASHBOARD_DIR.resolve())):
+            resolved_dashboard = DASHBOARD_DIR.resolve()
+            try:
+                # Use relative_to for robust path containment check
+                # (avoids startswith prefix-match bugs like "/dashboard" vs "/dashboardEVIL")
+                full_path.relative_to(resolved_dashboard)
+            except ValueError:
                self._json_error(403, "Forbidden")
                return