feat(telemetry): add security audit API integration and enhance git clone error handling

- Add `urlencoding` dependency to workspace
- Extend `Error::GitClone` with `is_timeout` and `is_auth_error` flags for structured error handling
- Implement 60-second clone timeout matching TS `CLONE_TIMEOUT_MS` with detailed timeout/auth error messages
- Set `GIT_TERMINAL_PROMPT=0` to suppress interactive credential prompts during clone
- Refactor telemetry from POST JSON to GET query parameters matching TS implementation

Author: gitctrlx

Cargo.lock

@@ -4,14 +4,14 @@ default-members = ["skill"]
 resolver = "3"
 
 [workspace.package]
-version = "0.4.5"
+version = "0.5.0"
 edition = "2024"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/qntx/skill"
 description = "Blazing-fast Vercel Skills CLI, reborn in Rust. 100% command parity, zero compromises."
 
 [workspace.dependencies]
-skill = { version = "0.4", path = "skill", features = ["network", "telemetry"] }
+skill = { version = "0.5", path = "skill", features = ["network", "telemetry"] }
 
 # Async runtime
 tokio = { version = "1.50.0", default-features = false }

Cargo.toml

@@ -19,6 +19,7 @@ regex = { workspace = true }
 dirs = { workspace = true }
 pathdiff = { workspace = true }
 tempfile = { workspace = true }
+urlencoding = { workspace = true }
 reqwest = { workspace = true, optional = true }
 
 [target.'cfg(windows)'.dependencies]

skill/Cargo.toml

@@ -29,6 +29,10 @@ pub enum Error {
         url: String,
         /// Error description.
         message: String,
+        /// Whether the clone timed out.
+        is_timeout: bool,
+        /// Whether the error is an authentication failure.
+        is_auth_error: bool,
     },
 
     /// An HTTP request failed.

skill/src/error.rs

@@ -1,21 +1,25 @@
 //! Git operations for cloning skill repositories.
 //!
-//! Uses the system `git` command (like the `TypeScript` `simple-git` reference)
-//! for maximum compatibility.
+//! Uses the system `git` command with a 60-second timeout, matching the
+//! the TS `simple-git` reference implementation.
 
 use std::path::PathBuf;
 
 use tempfile::TempDir;
 
 use crate::error::{Error, Result};
 
+/// Clone timeout matching the TS `CLONE_TIMEOUT_MS`.
+const CLONE_TIMEOUT: std::time::Duration = std::time::Duration::from_mins(1);
+
 /// Clone a git repository to a temporary directory.
 ///
 /// Returns the [`TempDir`] which will be cleaned up on drop.
 ///
 /// # Errors
 ///
-/// Returns an error if `git clone` fails.
+/// Returns [`Error::GitClone`] with `is_timeout` / `is_auth_error` flags
+/// for structured error handling by callers.
 pub async fn clone_repo(url: &str, git_ref: Option<&str>) -> Result<TempDir> {
     let temp_dir = TempDir::new().map_err(|e| Error::io(PathBuf::from("/tmp"), e))?;
 
@@ -31,16 +35,59 @@ pub async fn clone_repo(url: &str, git_ref: Option<&str>) -> Result<TempDir> {
 
     cmd.arg(url).arg(temp_dir.path());
 
-    let output = cmd.output().await.map_err(|e| Error::GitClone {
-        url: url.to_owned(),
-        message: format!("failed to run git: {e}"),
-    })?;
+    // Suppress interactive credential prompts (matching TS GIT_TERMINAL_PROMPT=0)
+    cmd.env("GIT_TERMINAL_PROMPT", "0");
+
+    let output = match tokio::time::timeout(CLONE_TIMEOUT, cmd.output()).await {
+        Ok(Ok(output)) => output,
+        Ok(Err(e)) => {
+            return Err(Error::GitClone {
+                url: url.to_owned(),
+                message: format!("failed to run git: {e}"),
+                is_timeout: false,
+                is_auth_error: false,
+            });
+        }
+        Err(_elapsed) => {
+            return Err(Error::GitClone {
+                url: url.to_owned(),
+                message: concat!(
+                    "Clone timed out after 60s. This often happens with private repos ",
+                    "that require authentication.\n",
+                    "  Ensure you have access and your SSH keys or credentials are configured:\n",
+                    "  - For SSH: ssh-add -l (to check loaded keys)\n",
+                    "  - For HTTPS: gh auth status (if using GitHub CLI)",
+                )
+                .to_owned(),
+                is_timeout: true,
+                is_auth_error: false,
+            });
+        }
+    };
 
     if !output.status.success() {
-        let stderr = String::from_utf8_lossy(&output.stderr);
+        let stderr = String::from_utf8_lossy(&output.stderr).to_string();
+        let is_auth = stderr.contains("Authentication failed")
+            || stderr.contains("could not read Username")
+            || stderr.contains("Permission denied")
+            || stderr.contains("Repository not found");
+
+        let message = if is_auth {
+            format!(
+                "Authentication failed for {url}.\n\
+                 \x20 - For private repos, ensure you have access\n\
+                 \x20 - For SSH: Check your keys with 'ssh -T git@github.com'\n\
+                 \x20 - For HTTPS: Run 'gh auth login' or configure git credentials"
+            )
+        } else {
+            stderr
+        };
+
         return Err(Error::GitClone {
             url: url.to_owned(),
-            message: stderr.to_string(),
+            message,
+            is_timeout: false,
+            is_auth_error: is_auth,
         });
     }
 

skill/src/git.rs

@@ -59,6 +59,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: Some(resolved),
             git_ref: None,
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -75,6 +76,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: Some(git_ref.to_owned()),
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -90,6 +92,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: Some(git_ref.to_owned()),
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -104,6 +107,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: None,
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -122,6 +126,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
                 local_path: None,
                 git_ref: Some(git_ref.to_owned()),
                 skill_filter: None,
+                is_private: None,
             };
         }
     }
@@ -140,6 +145,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
                 local_path: None,
                 git_ref: Some(git_ref.to_owned()),
                 skill_filter: None,
+                is_private: None,
             };
         }
     }
@@ -155,6 +161,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
                 local_path: None,
                 git_ref: None,
                 skill_filter: None,
+                is_private: None,
             };
         }
     }
@@ -175,6 +182,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: None,
             skill_filter: Some(skill_filter.to_owned()),
+            is_private: None,
         };
     }
 
@@ -194,6 +202,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: None,
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -206,6 +215,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
             local_path: None,
             git_ref: None,
             skill_filter: None,
+            is_private: None,
         };
     }
 
@@ -217,6 +227,7 @@ pub fn parse_source(input: &str) -> ParsedSource {
         local_path: None,
         git_ref: None,
         skill_filter: None,
+        is_private: None,
     }
 }