fix(security): D-2 + D-3 — remove /api/save_skill and /api/forge

AGENTS.md

@@ -583,6 +583,19 @@ Canonical state file for AskUserQuestion. Atomic write via tmp+rename. Schema:
 ### MCP HTTP transport blocklist
 `codec_config._HTTP_BLOCKED`: `python_exec`, `terminal`, `process_manager`, `pm2_control`, `ax_control`. These skills are NEVER exposed over HTTP MCP. They remain available locally (voice, chat) and over stdio MCP only.
 
+### Skill creation flow — review-and-approve only (Phase 1 Wave 1, PR-1B — closes D-2 + D-3)
+
+Skill creation is exclusively via the review-and-approve flow:
+
+  `POST /api/skill/review`   →  stages code for human review (no disk write)
+  `POST /api/skill/approve`  →  writes to disk after explicit operator approval; runs `is_dangerous_skill_code` as the write-time gate
+
+The legacy direct-write endpoints `/api/save_skill` and `/api/forge` were **removed in PR-1B**. Both were CRITICAL RCE-enabling paths per `docs/audits/PHASE-1-SECURITY.md`:
+- `/api/save_skill` (**D-3**) wrote user/LLM-supplied code straight to `<skills_dir>/<name>.py` after only a substring blocker.
+- `/api/forge` (**D-2**) fetched arbitrary URLs (SSRF), passed the response to the LLM, and wrote the LLM's output directly to disk.
+
+The Skill Forge UI in `codec_vibe.html` (modal, toolbar buttons, JS handlers) was removed alongside. The URL-fetch capability is intentionally dropped — anyone wanting to import code from a URL now pastes the source into the editor and goes through the review-and-approve flow like any other skill.
+
 ### Skill load-time safety gate (Phase 1 Wave 1, PR-1A — closes D-1)
 
 `SkillRegistry.load` (`codec_skill_registry.py`) runs a two-stage check on every skill load — BEFORE `spec.loader.exec_module(mod)` — so a malicious `.py` file dropped in `~/.codec/skills/` cannot execute regardless of how it reached disk:

FEATURES.md

@@ -149,17 +149,14 @@ release, CODEC is now a **9-product system**.
 | 7 | Inspect mode for element inspection |
 | 8 | Save file to disk |
 | 9 | Copy code to clipboard |
-| 10 | Save as CODEC Skill |
-| 11 | Test Skill (invoke run() function) |
-| 12 | Skill Forge modal (3 modes: Paste Code, GitHub URL, Describe) |
-| 13 | Project management sidebar (sessions) |
-| 14 | Resizable panels (drag handle) |
-| 15 | Output console panel |
-| 16 | DOMPurify sanitization on all rendered content |
-| 17 | Server webcam photo + live PIP |
-| 18 | Light/dark theme toggle (syncs Monaco theme) |
-| 19 | Skill review + approval workflow (human-in-the-loop) |
-| 20 | URL import in Skill Forge (fetch code from GitHub raw URLs) |
+| 10 | Test Skill (invoke run() function) |
+| 11 | Project management sidebar (sessions) |
+| 12 | Resizable panels (drag handle) |
+| 13 | Output console panel |
+| 14 | DOMPurify sanitization on all rendered content |
+| 15 | Server webcam photo + live PIP |
+| 16 | Light/dark theme toggle (syncs Monaco theme) |
+| 17 | Skill review + approval workflow (human-in-the-loop, exclusive path) |
 
 ---
 

README.md

@@ -50,7 +50,7 @@ No cloud dependency. No data leaving the machine unless you choose. No subscript
 | 2 | **CODEC Dictate** | Hold, speak, paste — hands-free F5 live typing at cursor, draft refinement, floating overlays |
 | 3 | **CODEC Instant** | Right-click → 8 AI services system-wide — proofread, translate, reply, explain |
 | 4 | **CODEC Chat** | 250K-context conversational AI + 12 autonomous agent crews |
-| 5 | **CODEC Vibe** | Browser IDE with Monaco editor + Skill Forge — the framework writes its own plugins |
+| 5 | **CODEC Vibe** | Browser IDE with Monaco editor + live preview — new skills land through a human-review approval flow |
 | 6 | **CODEC Voice** | Real-time voice calls with interrupt detection, screen analysis mid-call |
 | 7 | **CODEC Overview** | Dashboard + Cortex nerve center + full audit trail — accessible from any device |
 | 8 | **CODEC Pilot** | Browser automation you can *teach* — record once, replay forever with XPath→CSS→LLM rescue |
@@ -121,11 +121,11 @@ The multi-agent framework is under 800 lines. Zero dependencies. No CrewAI. No L
 
 **Phase 3 substrate** (autonomous agents) reuses Phase 1+2 components: unified audit envelope (Step 1), plugin lifecycle hooks (Step 2), AskUser + strict-consent + step budget (Step 3), continuous observation loop (Step 5), trigger system (Step 6), end-of-day shift report (Step 7). Per-agent state at `~/.codec/agents/<id>/`. Global allowlist tier at `~/.codec/agent_global_grants.json`. 17 new audit events. See `docs/PHASE3-COMPLETE.md` for the full sign-off.
 
-### 5. CODEC Vibe — AI Coding IDE + Skill Forge
+### 5. CODEC Vibe — AI Coding IDE
 
 Split-screen in the browser. Monaco editor on the left (same engine as VS Code, v0.45.0). AI chat on the right. Describe what's needed — CODEC writes it, click Apply, run it, live preview in browser.
 
-Skill Forge takes it further: three modes — paste code, import from GitHub URL, or describe a capability in plain English. CODEC converts it into a working plugin. The framework writes its own extensions. DOMPurify sanitization on all rendered content.
+New skills land through the human-review approval flow (`/api/skill/review` → `/api/skill/approve`) — staged, previewed, then written to disk only after explicit operator approval. Defense in depth pairs with the load-time AST gate in `SkillRegistry.load`. DOMPurify sanitization on all rendered content.
 
 ### 6. CODEC Voice — Live Voice Calls
 
@@ -311,7 +311,7 @@ Three smart agents ship built-in: Daily Briefing, Restaurant Decider (location-a
 | Voice-to-voice calls | WebSocket, real-time | Yes but cloud | Yes but cloud |
 | Multi-agent workflows | 12 crews, local LLM | No | Limited |
 | Right-click AI services | 8 system-wide services | No | No |
-| Writes its own plugins | Skill Forge | No | No |
+| Writes its own plugins | Yes, via review-and-approve flow | No | No |
 | Hands-free live typing at cursor | Dictate F5 | No | No |
 | Process watchdog | Auto-kills stuck processes | No | No |
 | Full audit trail | 16 event categories | No | No |
@@ -325,7 +325,7 @@ Three smart agents ship built-in: Daily Briefing, Restaurant Decider (location-a
 | Pipecat | **Voice** — own WebSocket pipeline |
 | CrewAI + LangChain | **Chat** — 795-line agent framework, zero dependencies |
 | SuperWhisper / Apple Dictation | **Dictate** — free, open source, F5 hands-free live typing, 100% local |
-| Cursor / Windsurf | **Vibe** — Monaco + AI + Skill Forge |
+| Cursor / Windsurf | **Vibe** — Monaco + AI + review-gated skill creation |
 | Google Assistant / Siri | **Core** — actually controls the computer |
 | Grammarly | **Instant** — right-click services via local LLM |
 | ChatGPT | **Chat** — 250K context, fully local |
@@ -630,7 +630,7 @@ codec_voice.html      — Voice call UI
 codec_dashboard.py    — Web API + dashboard (135+ endpoints across routes/)
 codec_dashboard.html  — Dashboard UI (Flash Chat, History, Audit, Settings, Stats, Skills)
 codec_chat.html       — Chat UI (agents, file upload, voice input)
-codec_vibe.html       — Vibe Code IDE (Monaco + Skill Forge)
+codec_vibe.html       — Vibe Code IDE (Monaco editor + live preview)
 codec_cortex.html     — Cortex system overview (neural map, product grid)
 codec_audit.html      — Audit log viewer (16 categories, filterable)
 codec_audit.py        — Audit logger (JSON-line, 50MB rotation, thread-safe)

codec_chat.html

@@ -471,7 +471,7 @@ <h1><a href="/" style="color:inherit;text-decoration:none">CODEC</a></h1>
 "3. **CODEC Dictate** \u2014 Hold-to-speak dictation that transcribes and refines text with LLM grammar/tone correction in any macOS app.\n" +
 "4. **CODEC Instant** \u2014 Right-click AI services (Proofread, Elevate, Explain, Translate, Reply, Read Aloud) on any selected text system-wide.\n" +
 "5. **CODEC Chat** \u2014 That's YOU. Conversational AI with 250K context, file uploads, image analysis, web search, and 12 autonomous agent crews.\n" +
-"6. **CODEC Vibe** \u2014 AI coding IDE with Skill Forge that auto-generates and deploys new plugins from natural language.\n" +
+"6. **CODEC Vibe** \u2014 AI coding IDE with Monaco editor + live preview. New skills land through the human-review approval flow.\n" +
 "7. **CODEC Voice** \u2014 Real-time voice-to-voice calls with live transcription and mid-call screen analysis.\n\n" +
 "Supporting systems: Dashboard (remote access via Cloudflare/Tailscale), Skill Marketplace, MCP Server (exposes skills to Claude/Cursor/VS Code), Task Scheduler, and Memory.\n\n" +
 "### IDENTITY & PERSONA\n" +

codec_config.py

@@ -1,6 +1,14 @@
 """CODEC Configuration — loads ~/.codec/config.json and exposes all constants"""
 import os, json
-from pynput import keyboard
+
+# pynput requires a display (X11 / AppKit / win32). On headless CI runners
+# (Linux GitHub Actions, Docker) the import raises ImportError. Other modules
+# import codec_config for is_dangerous_skill_code, DANGEROUS_PATTERNS, etc.
+# without needing the keyboard subsystem — fail gracefully so those imports work.
+try:
+    from pynput import keyboard
+except ImportError:
+    keyboard = None
 
 CONFIG_PATH = os.path.expanduser("~/.codec/config.json")
 DRY_RUN = False
@@ -258,6 +266,10 @@ def needs_screen(t):
 # Key resolution
 def _resolve_key(name):
     name = name.lower().strip()
+    if keyboard is None:
+        # Headless: codec_config is being imported for its constants only,
+        # not for live keyboard listening. Skip key resolution.
+        return None
     if name.startswith('f') and name[1:].isdigit():
         return getattr(keyboard.Key, name, None)
     if len(name) == 1:

codec_cortex.html

@@ -857,11 +857,11 @@ <h3>Live Activity</h3>
    features:['250K Context','File Upload','Image Analysis','Web Search','12 Agent Crews','Streaming','Skill Execution','Voice Reply','Memory Search','Code Blocks','Thinking Mode'],
    files:['codec_chat.html','codec_dashboard.py'],status:'chat',
    details:{agents:'Deep Research (10,000-word report → Google Docs), Daily Briefing (morning news + calendar), Competitor Analysis (SWOT + positioning), Trip Planner (full itinerary), Email Handler (triage inbox, draft replies), Social Media (posts for Twitter, LinkedIn, Instagram), Code Review (bugs + security), Data Analysis (trends + insights), Content Writer (blog posts, articles), Meeting Summarizer (action items), Invoice Generator (professional invoices), Custom Agent (define your own role, tools, task)',features:'250K context, file uploads (PDF/image/text), web search with Serper API, skill execution, streaming responses, voice reply toggle, thinking mode toggle, memory search. Multi-agent framework under 800 lines. Zero dependencies. No CrewAI. No LangChain.',scheduling:'Schedule any crew: "Run competitor analysis every Monday at 9am"',port:'8090 (/chat)',files:['codec_chat.html','codec_dashboard.py','routes/agents.py','codec_agents.py']}},
-  {name:'CODEC Vibe',subtitle:'AI Coding IDE + Skill Forge',icon:'🎨',color:'#f59e0b',
-   desc:'Split-screen in the browser. Monaco editor on the left (same engine as VS Code). AI chat on the right. Describe what you need — CODEC writes it, click Apply, run it, live preview. Skill Forge: describe a new capability in plain English, CODEC converts it into a working plugin.',
-   features:['Monaco Editor','Live Preview','Skill Forge','Auto Deploy','Code Generation','Apply Code','HTML/CSS/JS','Template Library'],
+  {name:'CODEC Vibe',subtitle:'AI Coding IDE',icon:'🎨',color:'#f59e0b',
+   desc:'Split-screen in the browser. Monaco editor on the left (same engine as VS Code). AI chat on the right. Describe what you need — CODEC writes it, click Apply, run it, live preview. New skills land through the review-and-approve flow (/api/skill/review → /api/skill/approve) — human-in-the-loop, audit-gated.',
+   features:['Monaco Editor','Live Preview','Code Generation','Apply Code','HTML/CSS/JS','Template Library','Human Review Gate','Test skill run()'],
    files:['codec_vibe.html'],status:'vibe',
-   details:{how:'Natural language → LLM generates HTML/CSS/JS → Live preview in iframe → One-click deploy as skill. Skill Forge takes it further: describe a new capability in plain English, CODEC converts it into a working plugin. The framework writes its own extensions.',port:'8090 (/vibe)',files:['codec_vibe.html']}},
+   details:{how:'Natural language → LLM generates HTML/CSS/JS → Live preview in iframe → Skill staging via /api/skill/review → user approves → /api/skill/approve writes to ~/.codec/skills/. Defense in depth with the load-time AST gate added in PR-1A.',port:'8090 (/vibe)',files:['codec_vibe.html']}},
   {name:'CODEC Voice',subtitle:'Live Voice Calls',icon:'📞',color:'#34d399',
    desc:'Real-time voice-to-voice conversations with the AI. WebSocket pipeline — no Pipecat, no external dependencies. Mid-call say "check my screen" — it screenshots, analyzes, and speaks back. Full transcript saved to memory.',
    features:['WebSocket','VAD','Interruption','Live Transcript','Screen Analysis','Streaming TTS','Low Latency','Memory Save','Searchable History'],