Add maui ai command group for AI-assisted development bootstrapping

[jfversluis]

Summary

Updates this PR with current main and expands maui ai init into a one-stop bootstrap command for AI-powered .NET MAUI development.

The top-level bootstrap now orchestrates all relevant MAUI AI assets without duplicating DevFlow logic:

• Reuses the existing DevFlow-owned bundled installer (DevFlowSkillManager.InstallRecommendedAsync) for recommended DevFlow skills.
• Installs non-DevFlow marketplace skills from plugins/dotnet-maui/skills.
• Discovers and installs repo-local project skills from .github/skills such as Comet Go and MAUI platform backend guidance.
• Discovers and installs MAUI/Comet-related Copilot agent definitions from .github/agents/*.agent.md.
• Detects Claude Code, VS Code, Copilot CLI, and OpenCode environments, deduping shared .github/skills targets.
• Configures the DevFlow MCP server unless --no-mcp is specified.
• Preserves dry-run, JSON, CI, force, skill filtering, and environment filtering behavior.

Implements #97.

Commands

Command	Description
maui ai init	Bootstrap MAUI AI/Copilot development assets and configure MCP
maui ai list	Show available marketplace and repository skills
maui ai status	Show installed AI asset status, including DevFlow skills and Copilot agents
maui ai update	Refresh installed AI assets, including DevFlow skills and Copilot agents
maui ai add <skill>	Install a specific marketplace or repository skill by name

Architecture

Service layer (Ai/):

• MarketplaceClient fetches marketplace/plugin manifests, enumerates skills, and downloads skill files.
• RepositoryAssetInstaller discovers, installs, and inspects repository-hosted AI assets such as Copilot agent definitions.
• AgentEnvironmentDetector detects agent environments and handles normal repos plus worktree .git files.
• McpConfigurator merges the maui-devflow MCP server entry into agent config files.
• SkillInstaller and SkillVersionStore install non-DevFlow skills and track versions.
• AiJsonContext provides AOT-compatible source-generated JSON serialization.

Commands (Commands/AiCommands*.cs):

• Top-level maui ai command group follows the existing partial command pattern.
• maui ai init delegates DevFlow skill installation to the existing DevFlow implementation instead of duplicating it.
• maui ai status now reports DevFlow bundled skill state, marketplace/repository skills, and Copilot agent definitions.
• maui ai update now calls the DevFlow updater, refreshes installed marketplace/repository skills, and updates repo-hosted Copilot agents.
• Non-DevFlow skills and repo assets remain managed by the AI bootstrap layer.

Docs

• Root README points developers to maui ai init --dry-run, maui ai init, maui ai status --check-updates, and maui ai update.
• CLI README includes the AI bootstrap quick start and command table entries.

Testing

• ./.dotnet/dotnet test src/Cli/Microsoft.Maui.Cli.UnitTests/ --no-restore --logger "console;verbosity=minimal"
• git diff --check

/cc @Redth

[Copilot]

Pull request overview

Adds a new top-level maui ai command group to bootstrap and manage AI-agent “skills” for MAUI development by fetching skill definitions from the repo marketplace and installing them into detected agent environments, plus wiring up MCP configuration.

Changes:

• Register new maui ai command group in the CLI root command.
• Implement init/list/status/update/add commands plus supporting service layer (MarketplaceClient, environment detection, skill install/version tracking, MCP config merge).
• Add unit test coverage for command construction, marketplace frontmatter parsing, version store, environment detection, and MCP config behavior.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/Cli/Microsoft.Maui.Cli/Program.cs	Registers maui ai in the root command.
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.cs	Defines the ai command group and shared options/HTTP client creation.
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.Init.cs	Implements maui ai init (fetch marketplace, detect envs, select/install skills, configure MCP).
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.List.cs	Implements maui ai list (marketplace listing).
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.Status.cs	Implements maui ai status (installed skills + optional update check).
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.Update.cs	Implements maui ai update (update installed skills to latest).
src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.Add.cs	Implements maui ai add <skill> (install one skill).
src/Cli/Microsoft.Maui.Cli/Ai/AgentEnvironmentDetector.cs	Detects Claude/VS Code/OpenCode in repo + Copilot CLI in user profile.
src/Cli/Microsoft.Maui.Cli/Ai/MarketplaceClient.cs	Fetches marketplace/plugin manifests, enumerates skills, downloads files, parses SKILL.md frontmatter.
src/Cli/Microsoft.Maui.Cli/Ai/McpConfigurator.cs	Merges maui-devflow MCP server entry into environment config JSON.
src/Cli/Microsoft.Maui.Cli/Ai/SkillInstaller.cs	Downloads skill files and writes .skill-version metadata.
src/Cli/Microsoft.Maui.Cli/Ai/SkillVersionStore.cs	Reads/writes .skill-version JSON (including legacy format).
src/Cli/Microsoft.Maui.Cli/Ai/AiJsonContext.cs	Source-generated JSON serialization context for AOT friendliness.
src/Cli/Microsoft.Maui.Cli/Ai/Models/*.cs	POCO models for manifests, skill info, environment info, version metadata.
src/Cli/Microsoft.Maui.Cli.UnitTests/AiCommandsTests.cs	Tests AI command construction and option/alias wiring.
src/Cli/Microsoft.Maui.Cli.UnitTests/AgentEnvironmentDetectorTests.cs	Tests environment detection behavior and paths.
src/Cli/Microsoft.Maui.Cli.UnitTests/MarketplaceClientTests.cs	Tests SKILL.md frontmatter parsing.
src/Cli/Microsoft.Maui.Cli.UnitTests/McpConfiguratorTests.cs	Tests MCP config creation/merge/idempotency across environments.
src/Cli/Microsoft.Maui.Cli.UnitTests/SkillVersionStoreTests.cs	Tests .skill-version read/write/legacy behavior.

[Copilot]

Pull request overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 7 comments.

[github-actions]

Expert Code Review: 8 findings posted inline (1 critical, 5 moderate, 2 minor). See the lean summary comment for methodology and discarded findings.

Generated by Expert Code Review · ● 36.3M

[github-actions]

Expert Code Review: 3 findings posted inline. See the lean summary comment for full details.

Generated by Expert Code Review · ● 34.2M

[github-actions]

Expert Code Review: 4 findings posted inline (1 critical, 2 moderate, 1 minor). See the lean summary comment for full methodology and discarded findings.

Generated by Expert Code Review · ● 29.5M

[github-actions]

Expert Code Review — maui ai command group

Reviewed all 30 files in this PR for regressions, security issues, bugs, data loss, and race conditions. Overall this is well-structured code with strong security defenses (path traversal guards, atomic writes, symlink detection). Below are the findings.

---

🟡 MODERATE — TOCTOU race in RepositoryAssetInstaller.InstallAssetAsync

File: src/Cli/Microsoft.Maui.Cli/Ai/RepositoryAssetInstaller.cs, lines ~78-88 in InstallAssetAsync
Scenario: The code checks IsReparsePoint(fullDestinationPath) during the file-list loop, then checks again after downloading content, then finally calls WriteFileAtomicallyWithinRootAsync. Between the second check and the write, an attacker with local access could replace the destination directory with a symlink (TOCTOU). The WriteFileAtomicallyWithinRootAsync re-checks via IsSafeDestination which mitigates the risk for the actual write, but the intermediate Directory.CreateDirectory(destinationRoot) (line ~74) occurs before any check, and could follow a symlink that was just created.
Recommendation: The risk is mitigated by the post-creation IsPathWithinRoot check right after Directory.CreateDirectory. This is defense-in-depth and acceptable for a CLI tool (not a privileged daemon). Low practical risk but worth noting.

---

🟡 MODERATE — ContainsJsonComments can throw JsonException which is unhandled in ConfigureAsync

File: src/Cli/Microsoft.Maui.Cli/Ai/McpConfigurator.cs, line ~110 (backupExistingConfig = ContainsJsonComments(existingJson))
Scenario: ContainsJsonComments uses a Utf8JsonReader with CommentHandling = Allow. If the existing file is parseable by JsonNode.Parse (which uses AllowTrailingCommas + Skip for comments) but contains certain edge cases that cause Utf8JsonReader.Read() to throw (e.g., extremely large nesting depth), the JsonException would propagate. However — looking at the outer catch (JsonException) in ConfigureAsync, this IS caught.
Verdict: False alarm on review — the outer catch handles it. No action needed.

---

🟡 MODERATE — SkillInstaller.InstallSkillAsync downloads ALL files before checking count, wasting bandwidth on partial failures

File: src/Cli/Microsoft.Maui.Cli/Ai/SkillInstaller.cs, lines ~87-93
Scenario: DownloadSkillFilesAsync downloads files one by one and returns the count of successfully written files. If the expected count is, say, 5 and the 3rd file fails to download (returns null from FetchRawBytesAsync), the method still continues and counts only the successful ones. Then InstallSkillAsync compares filesInstalled != expectedFileCount → returns (-2, ""). The files were already downloaded to the temp dir and written to disk before the count mismatch is detected. This is wasteful but not a bug — the finally block cleans up.
Verdict: Not a bug. Behavior is correct — temp directory is cleaned up. Minor efficiency concern only.

---

🟡 MODERATE — AgentEnvironmentDetector.Detect loop termination has dead/confusing code

File: src/Cli/Microsoft.Maui.Cli/Ai/AgentEnvironmentDetector.cs, lines ~83-88
Scenario: The loop has:

if (rootFullPath is null)
    break;
if (rootFullPath is not null && ...)
    break;

The second rootFullPath is not null check is always true at that point because the first if already breaks when null. This is dead code that reduces readability but does not affect correctness.
Recommendation: Remove the redundant rootFullPath is not null && condition from the second check for clarity.

---

🟡 MODERATE — McpConfigurator strips JSON comments without warning when modifying files

File: src/Cli/Microsoft.Maui.Cli/Ai/McpConfigurator.cs, lines ~106-110, ~131-133
Scenario: If a user's mcp.json contains JSON5 comments (common for VS Code config files), the code correctly backs up the file before overwriting. However, the re-serialization via root.ToJsonString(options) always strips comments from the output. Users who rely on inline comments in their MCP config will lose them permanently (backup only goes to .bak). This is documented behavior (backup is created) but could surprise users.
Recommendation: Consider emitting a console warning when comments are detected and stripped, so users know to check the .bak file. The current backup mechanism is adequate, but visibility helps.

---

🟡 MODERATE — RepositoryAssetInstaller.InstallAssetAsync returns (0, destinationRoot) when all files are skipped due to !force

File: src/Cli/Microsoft.Maui.Cli/Ai/RepositoryAssetInstaller.cs, end of method
Scenario: When force=false and all files already exist, filesToInstall is empty, fileContents is empty, and the method returns (0, destinationRoot). This is returned to callers like the update command which checks files <= 0 as a failure condition (HasUpdateInstallFailures returns true for files == 0). This means a skill that is already up-to-date but gets processed by the update path will be reported as a failure.
Recommendation: This is mitigated because the update command only calls InstallAssetAsync with force: true for items that NeedsUpdate already confirmed need updating. For the init and add flows, 0 means "skipped" and is handled correctly with appropriate user messaging. No functional bug, but the return value semantics are subtle.

---

🟢 MINOR — CreateGitHubHttpClient uses hardcoded User-Agent version "1.0"

File: src/Cli/Microsoft.Maui.Cli/Commands/AiCommands.cs, line ~74
Scenario: The User-Agent is Microsoft.Maui.Cli/1.0 regardless of actual CLI version. GitHub rate-limits by UA and a static version string makes debugging API issues harder.
Recommendation: Use the actual assembly version or Program.Version if available.

---

🟢 MINOR — ParseFrontmatter does not handle > (folded without chomp) correctly

File: src/Cli/Microsoft.Maui.Cli/Ai/MarketplaceClient.cs, ParseFrontmatter method
Scenario: The YAML block scalar detection checks for >-, >, |, |-, |+, >+. For the > indicator (folded, clip), YAML spec says a trailing newline should be preserved. The current implementation joins with spaces and doesn't append a newline. For SKILL.md descriptions this is harmless (descriptions don't need trailing newlines), but it's technically not YAML-compliant.
Recommendation: Acceptable for the use case. No action needed.

---

🟢 MINOR — NormalizePath allows paths with leading . segments (e.g., .hidden/path)

File: src/Cli/Microsoft.Maui.Cli/Ai/MarketplaceClient.cs, NormalizePath method
Scenario: A path like .github/skills/..hidden-dir/SKILL.md passes validation. The .. check only looks for exact .. segments (split by /), so .hidden or ...triple pass through. This is correct behavior — Unix allows dotfiles. Not a bug.

---

Summary

No 🔴 CRITICAL issues found. The security model is well-designed with layered defenses (path normalization, symlink detection, atomic writes, path-within-root guards). The code is production-ready with the minor observations noted above.

Generated by Expert Code Review · ● 41.8M

[github-actions]

Expert Code Review: 6 findings posted inline (all 🟡 moderate). See the lean summary comment for methodology and details.

Generated by Expert Code Review · ● 32.2M

[github-actions]

Expert Code Review: 5 findings posted inline (1 critical, 3 moderate, 1 minor). See the lean summary comment for methodology and discarded findings.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• learn.microsoft.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "learn.microsoft.com"

See Network Configuration for more information.

Generated by Expert Code Review · ● 26M

[github-actions]

🟢 MINOR · Consensus: 2/3

Non-atomic directory replacement has a crash-unsafe window. If the process is killed between line 145 (Directory.Move to backup) and line 149 (Directory.Move source → destination), the skill directory disappears: the old install is in a .bak path and the new one hasn't landed yet. RestoreBackupDirectory handles the IOException path, but kill -9 / power loss bypasses it.

Recommendation: Document this limitation. Consider detecting orphaned .bak directories on next run and recovering automatically, or writing a sentinel file before the swap to enable recovery.

[github-actions]

Expert Code Review — maui ai init Bootstrap Command

I reviewed the full implementation (all 30 files) for regressions, security issues, bugs, data loss, and race conditions. The security posture is strong — FileSystemPathGuard, NormalizePath with traversal rejection, reparse-point checks, and atomic writes are well-implemented. No critical issues found.

🟡 MODERATE (4 findings)

#	File	Line	Issue
1	AiCommands.List.cs	~65	Uses Directory.GetCurrentDirectory() directly instead of GetAiCommandWorkingDirectory() like all other commands. Running from a subdirectory will miss environments detected at the Git root.
2	AiCommands.Update.cs	~125	Installed skills with PluginPath == null are silently excluded from updatable even with --force. User sees "all up to date" for stale skills.
3	McpConfigurator.cs	~220	GetConfigWriteRoot unconditionally returns projectRoot for non-CopilotCli kinds. If config path is outside project root (e.g., user-scoped OpenCode), the write will silently fail.
4	SkillInstaller.cs	~72–100	TOCTOU between ReadAsync check and ReplaceDirectory — concurrent invocations can race. Acceptable for a CLI tool but worth documenting.

🟢 MINOR (5 findings)

#	File	Line	Issue
5	RepositoryAssetInstaller.cs	~213	GetAssetRelativePath can produce empty string for edge-case inputs (malformed tree entry matching destination prefix exactly).
6	FileSystemPathGuard.cs	~68	Temp dirs (.maui-ai-write.*.tmp) created in project root may appear in git status if process is interrupted.
7	StringOrArrayConverter.cs	~44	Returns [] silently for unexpected JSON token types (number, object, null) — masks plugin.json configuration errors.
8	AgentEnvironmentDetector.cs	~76	When no Git root exists, only the immediate working directory is scanned (loop breaks immediately). Behavior differs from doc saying "scans up to Git root."
9	MarketplaceClient.cs	~287	ParseFrontmatter handles block-scalar description: but not name: — a name: >- entry will parse as literal ">-".

Overall: solid implementation with good security hardening. The moderate issues are correctness edge cases, not vulnerabilities.

Generated by Expert Code Review · ● 30.7M

[github-actions]

Expert Code Review: 3 findings posted inline (2 moderate, 1 minor). See the summary comment for full methodology and discarded findings.

Generated by Expert Code Review · ● 44.6M

[github-actions]

🟢 MINOR · Consensus: 2/3 reviewers agree

Fragile hardcoded DevFlow status strings + misleading status for uncheckable skills

NeedsUpdate pattern-matches on raw DevFlow-internal status strings ("installed-from-different-cli-same-version", "dirty", "unknown-or-unmanaged", etc.). This creates a fragile coupling: if DevFlow renames any of these values, the update command silently stops working for affected skills. Additionally, "unknown-or-unmanaged" means ANY skill DevFlow doesn't recognize will unconditionally trigger an update attempt on every maui ai update run.

Separately, skills with legacy .skill-version entries (no PluginPath) display "Installed" even when --check-updates is set, giving a false sense of freshness.

Recommendation: Consider moving the "needs update" predicate into DevFlowSkillManager (which owns the status schema) and exposing it as a typed method. For uncheckable skills, surface a distinct status like "Unknown" when --check-updates is requested but verification is impossible.

[github-actions]

Expert Code Review: 6 findings posted inline (3 moderate, 3 minor). See the lean summary comment for methodology and discarded findings.

Generated by Expert Code Review · ● 39.6M

[github-actions]

🟢 MINOR · Consensus: 2/3 reviewers

Partial write with no rollback: If WriteFileAtomicallyWithinRootAsync fails mid-loop (line 129–135), earlier files already written are left on disk — leaving the asset in an inconsistent state. The SkillInstaller uses a staging directory + atomic move pattern to avoid this.

Currently low impact since repository assets are typically single-file (Copilot agents), but worth noting for future multi-file asset support.

Recommendation: Consider downloading all content to a temp staging directory first (mirroring SkillInstaller.ReplaceDirectory), then atomically swapping into place.

[github-actions]

🟢 MINOR · Consensus: 2/3 reviewers

Windows reserved device names not rejected: Path.GetInvalidFileNameChars() does not include Windows reserved names (CON, PRN, AUX, NUL, COM1–COM9, LPT1–LPT9). A skill with such a name would pass validation but cause Directory.CreateDirectory / File.WriteAllBytes to fail unpredictably on Windows.

Recommendation: Add a check after line 48:

|| (OperatingSystem.IsWindows() && IsWindowsReservedName(skill.Name))

[github-actions]

Expert Code Review: 4 findings posted inline. See the lean summary comment for full details and methodology.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by Expert Code Review · ● 33.6M

[github-actions]

🟡 MODERATE · Consensus: 2/3 reviewers

Duplicate IsReparsePoint check. Line 117 and line 119 both call FileSystemPathGuard.IsReparsePoint(env.SkillsDirectory) — the third condition is an exact copy of the first and provides no additional protection.

The intent may have been to re-check after Directory.Exists (TOCTOU guard), but since no directory is created between the checks, the second call is redundant.

Suggestion: Remove the duplicate third condition:

if (FileSystemPathGuard.IsReparsePoint(env.SkillsDirectory) ||
    !Directory.Exists(env.SkillsDirectory))

Or, if TOCTOU protection is desired, check each returned skillDir inside the foreach (which is already done at line 125/126).

[github-actions]

🟡 MODERATE · Consensus: 3/3 reviewers

maui ai add bypasses DevFlow installer for DevFlow-managed skills. Unlike init and update (which check IsDevFlowManagedSkillName() and route to DevFlowSkillManager), the add command installs any marketplace skill — including DevFlow-managed ones like maui-devflow-debug — directly through SkillInstaller, bypassing the intended ownership/version flow.

Suggestion: Add a guard before installation:

if (IsDevFlowManagedSkillName(skill.Name))
{
    formatter.WriteWarning(
        $"'{skill.Name}' is managed by DevFlow. Use 'maui ai init' or 'maui ai update' instead.");
    return 1;
}

[github-actions]

Expert Code Review — PR #98

Methodology: 3 independent reviewers with adversarial consensus

6 findings posted as inline comments (4 🟡 moderate, 2 🟢 minor)

#	Severity	File	Finding
1	🟡	FileSystemPathGuard.cs:86	TOCTOU between final safety check and File.Move
2	🟡	MarketplaceClient.cs:459	Branch parameter not validated for .. path-traversal segments
3	🟡	AiCommands.AssetStatus.cs:273	NeedsUpdate treats "Missing"/"unknown-or-unmanaged" as update triggers
4	🟡	RepositoryAssetInstaller.cs:129	Partial-write inconsistency on multi-file assets
5	🟢	AiCommands.AssetStatus.cs:119	Duplicate IsReparsePoint call (copy-paste)
6	🟢	McpConfigurator.cs:241	Backup .bak silently overwritten on each run

Discarded findings (single reviewer only, did not reach consensus)

• SkillInstaller temp directory default permissions (1/3 — follow-up disagreed: path is under user-private config dir)
• McpConfigurator.GetConfigWriteRoot returns projectRoot without verifying configDir is within it (1/3)
• HttpClient missing rate-limit handling for GitHub 403/429 (1/3)
• ResolveProjectRoot falls back to arbitrary non-git directory (1/3)
• ReadBytesWithLimitAsync oversized response treated as "file not found" (1/3)
• AgentEnvironmentDetector break behavior on null git root (1/3)
• ParseFrontmatter empty frontmatter edge case (1/3)
• SkillInstaller.ReplaceDirectory error message lacks detail (1/3)
• Complex logic flow between includeDevFlowSkills and marketplace filters (1/3)
• FileSystemPathGuard.CreatePrivateDirectory Windows temp dir not ACL-restricted (1/3)

CI Status

• ✅ license/cla — passed
• 🔄 build / build (windows-latest) — in progress
• 🔄 build / build (macos-latest) — in progress

Test Coverage

PR includes comprehensive unit tests (8 new test files: AgentEnvironmentDetectorTests, AiCommandsTests, AiIntegrationTests, MarketplaceClientTests, McpConfiguratorTests, RepositoryAssetInstallerTests, SkillInstallerTests, SkillVersionStoreTests, StringOrArrayConverterTests). Good coverage of the new service layer.

Generated by Expert Code Review · 3 independent reviewers with adversarial consensus

Generated by Expert Code Review · ● 26.2M · ◷

[github-actions]

Expert Code Review: 6 findings posted inline (4 moderate, 2 minor). See the lean summary comment for methodology and discarded findings.

Generated by Expert Code Review · ● 26.2M

[github-actions]

🟡 MODERATE · 2/3 consensus

TOCTOU race between final safety check and File.Move.

The IsSafeDestination check at line 83 verifies the destination isn't a symlink, but File.Move at line 86 re-resolves the path. A local attacker with write access to the destination directory could swap fullDestinationPath to a symlink between these two operations, redirecting the write outside the intended root.

The window is small and requires local filesystem access, but this method is explicitly designed as a security boundary (FileSystemPathGuard).

Recommendation: After the final IsSafeDestination check, additionally verify that fullDestinationPath is not a reparse point, or use handle-based open with O_NOFOLLOW / FILE_FLAG_OPEN_REPARSE_POINT semantics to prevent symlink dereference on the final rename.

[github-actions]

🟡 MODERATE · 2/3 consensus

NeedsUpdate is overly aggressive — treats "Missing" and "unknown-or-unmanaged" as update triggers.

Two concerns:

1. "Missing" causes maui ai update to install assets that were never installed, rather than just updating existing ones. Users expect update to refresh what's already present, not add new things.
2. "unknown-or-unmanaged" causes silently replacing hand-placed customized skill files with bundled versions — no warning that an unmanaged file is being overwritten.

Recommendation: Exclude "Missing" and "unknown-or-unmanaged" from the non-force update path. Either require --force for these statuses, or add an explicit --install-missing flag. Emit a warning when encountering unmanaged files.

[github-actions]

🟡 MODERATE · 2/3 consensus (disputed, then confirmed)

Partial-write inconsistency on multi-file assets.

If WriteFileAtomicallyWithinRootAsync fails for file N after files 1..N-1 succeeded, the method returns an error. On the next non-forced run, already-written files are skipped (via File.Exists at line 98), and only remaining files are retried — reporting "Installed (1 file)" even though the asset has multiple files.

Currently assets are single-file (mitigating this), but the code structure allows multi-file assets. Unlike SkillInstaller which stages atomically, this writes directly to the destination.

Recommendation: Consider staging all files into a temp directory within projectRoot before moving atomically into place (matching the SkillInstaller pattern), or document the single-file invariant with an assertion.

[github-actions]

🟢 MINOR · 2/3 consensus

Duplicate IsReparsePoint check (line 117 and 119 are identical).

The third condition is a copy-paste of the first — it incurs an extra File.GetAttributes syscall and creates the false impression of a deliberate double-check pattern. Additionally, the gap between the reparse-point check and Directory.GetDirectories (line 124) constitutes a narrow TOCTOU window, though exploitation is impractical for this read-only enumeration.

Recommendation: Remove the duplicate IsReparsePoint call.

[github-actions]

🟢 MINOR · 2/3 consensus

Backup file is always <config>.bak — subsequent runs silently overwrite prior backups.

If a user modifies mcp.json between runs, the previous .bak recovery point is lost without warning. This makes it impossible to recover from a bad maui ai init run if update has already overwritten the backup.

Recommendation: Use timestamped backup names (e.g., $"{configPath}.{timestamp}.bak") or check for an existing .bak and warn before overwriting.

[github-actions]

🟡 MODERATE · 2/3 consensus

Branch parameter not validated for path-traversal segments.

Uri.EscapeDataString("..") returns ".." unmodified (dots are not percent-encoded). .NET's Uri class normalizes .. segments before sending the HTTP request. A --branch value like "main/../../../attacker/evil-repo/main" would resolve to a different GitHub repository's raw content after URI normalization.

While --branch is a hidden option and GitHub may reject malformed paths server-side, client-side defense-in-depth is warranted since skills downloaded from the resolved URL are written to disk.

Recommendation: Add validation that rejects "." or ".." segments:

var segments = branch.Split('/');
if (segments.Any(s => s is "." or ".."))
    throw new InvalidOperationException($"Branch '{branch}' must not contain '.' or '..' segments.");