Add skills and subagents for junie

[dacgray]

Junie now supports skills and subagents: https://junie.jetbrains.com/docs/agent-skills.html

[github-actions]

PR #1255 Review - Add Skills and Subagents for Junie

Overall Mergeability Verdict: NOT MERGEABLE ❌

The PR has high-severity code quality issues that should be addressed before merging. However, there are no security vulnerabilities and the implementation is secure.

---

Code Review Findings

High Severity Issues:

1. JunieSkill.getSettablePaths() missing global mode error handling (High)

   • Location: src/features/skills/junie-skill.ts:72-76
   • Unlike other skill implementations (KiroSkill, CopilotSkill, ReplitSkill), this doesn't throw an error when global: true is passed
   • Should follow the pattern:

     if (options?.global) {
       throw new Error("JunieSkill does not support global mode.");
     }

2. Documentation not synchronized with implementation (High)

   • Location: docs/reference/supported-tools.md:23
   • The skills and subagents columns for JetBrains Junie should show ✅ to reflect the new functionality

Medium Severity Issues:

3. Test doesn't verify global mode error handling (Medium)

   • Location: src/features/skills/junie-skill.test.ts:34-37
   • Test expects success when global: true is passed, but processor metadata shows supportsGlobal: false

4. Missing test coverage for global mode error (Medium)

   • Should have a test verifying error is thrown when global mode is requested, like other skill implementations

Positive Observations:

5. ✅ Good adherence to coding guidelines (uses zod/mini, formatError(), join() from node:path)
6. ✅ Test coverage is comprehensive (243 lines of tests for junie-skill, 323 for junie-subagent)
7. ✅ Follows existing patterns and conventions
8. ✅ All CI checks pass (4180 tests passed)

---

Security Review Findings

Overall Security Assessment: LOW RISK ✅

9. Path Traversal Protection - SECURE ✅

   • Properly inherits protections from base classes (AiDir and AiFile)
   • Built-in validation in getDirPath() and getFilePath() methods

10. Input Validation - COMPLIANT ✅

    • Uses zod/mini with z.looseObject() per project guidelines
    • Frontmatter schemas validate required fields properly

11. Injection Vulnerabilities - NONE FOUND ✅

    • No use of exec, spawn, eval, or dangerous functions
    • No shell command interpolation

12. Secret/Credential Exposure - NONE FOUND ✅

    • No hardcoded secrets or credentials
    • No authentication handling

13. File Operations - SECURE ✅

    • Uses safe file utilities (writeFileContent, readFileContent, ensureDir)
    • Path construction uses node:path.join()

14. YAML Parsing - SECURE ✅

    • Uses gray-matter with prototype pollution protection
    • isPlainObject check prevents prototype pollution attacks

Low Severity/Informational:

15. Extra Fields Handling (LOW)
    • Extra fields from frontmatter are preserved in output
    • This is intentional for forward compatibility with evolving AI tool specs

---

Required Actions Before Merge

1. Add global mode error handling in JunieSkill.getSettablePaths() to match other skill implementations
2. Update docs/reference/supported-tools.md to show Junie skills and subagents support
3. Add test for global mode error handling
4. Fix existing global mode test to expect an error

---

Security Approval

✅ Approved from a security perspective - No vulnerabilities identified, all security best practices followed.

github run

[github-actions]

Thank you for your contribution! Unfortunately, this PR has 1002 added lines, which exceeds the limit of 1000 lines for external contributors.

Please split your changes into smaller PRs. See CONTRIBUTING.md for details.

This PR has been automatically closed.

[dacgray]

@dyoshikawa Bro - please take a look a this PR. The 1000 line limit is very restrictive. I'm just trying to help.