Add MCP and skill installer / 新增 MCP 与 Skill 安装器

[SivanCola]

Summary

• add an install_source meta tool and built-in install-capability skill for two-phase MCP/skill installs and uninstalls
• support URL, GitHub/raw, local file/folder, .mcp.json, executable, and package-name sources with plan IDs, risk levels, rollback, and replace handling
• normalize pasted MCP command lines and add Windows stdio PATH fallback for common Node/npm install locations

Cache impact

• This intentionally adds one meta tool schema and one built-in skill, so it changes the stable prompt/tool prefix once. The implementation keeps the schema stable and avoids dynamic state in the prefix.

Testing

• go test ./... -count=1
• (cd desktop && go test ./... -count=1)
• (cd desktop/frontend && npm run build)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 47cbfa7d74

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[esengine]

Reviewed this carefully (it's large + security-sensitive). The good news: zip-slip/path-traversal is safe (filepath.Rel + O_EXCL), symlink-escape is blocked, no command injection (argv, not shell), and rollback/replace is correct and tested. Two security must-fixes from the review:

1. SSRF — I pushed a fix for this one. fetchText used the proxy-aware netclient, which has no dial-time SSRF guard, so source=http://169.254.169.254/... (or a DNS-rebind) could reach cloud metadata / internal services. I wrapped the client's transport with the same dial-time guard web_fetch uses (resolve → block private/link-local/CGNAT/unspecified → dial the vetted IP; loopback stays allowed), + a regression test (internal/installsource/ssrf.go, TestFetchTextRefusesInternalAddress). Please sanity-check it.

2. Consent story — your call (design decision). doc.go:5 and the install-capability skill prompt promise apply happens "only when ... ApprovalFunc consents", but Options.Approval is never wired in boot.go (it's nil), so that machinery is purely advisory. The only real gate is the agent permission system (install_source is not ReadOnly → Ask by default), which in a headless reasonix run with a nil approver resolves Ask → auto-Allow — i.e. apply=true can run npx -y <pkg> with no human in the loop, same as bash. Either:

• (a) wire Approval to the host so the promised confirmation actually fires (preferred — matches the repo's "enforce in the harness, not the prompt" principle), or
• (b) drop the consent promise from doc.go + the skill prompt so it doesn't claim a guarantee that isn't structurally enforced.

The docs just shouldn't promise an enforced confirmation that doesn't exist. Should-fix (non-blocking): validate the MCP server name charset from an untrusted .mcp.json (currently only non-empty). Happy to re-review once you pick (a)/(b).

[SivanCola]

Addressed in 97017fd.

For the consent-story item, I chose option (b): the package docs no longer claim that apply only runs after an ApprovalFunc consent, and the install-capability skill now says any needed user confirmation must happen before apply=true while host permissions may still deny the apply call.

I also fixed the should-fix by validating MCP server names from .mcp.json/direct entries against the existing Reasonix identifier rules, with regression coverage for invalid names.

Verified:

• go test ./internal/installsource ./internal/skill
• go test ./...