fix: activate skills when VT scan is unavailable or stales out

[superlowburn]

Summary

Fixes #139 — published skills return success but are not visible in search.

Root cause: insertVersion always sets moderationStatus: 'hidden' on publish (skills.ts:3180). The only path to 'active' is through approveSkillByHashInternal, called when VirusTotal returns a verdict. Three code paths leave the skill permanently hidden with no recovery:

1. VT_API_KEY not configured — scanWithVirusTotal logs and returns early, skill stays hidden forever
2. VT hash not found after 10 poll attempts — pollPendingScans marks scan as stale but never activates the skill
3. VT hash found but no Code Insight after 10 attempts — same stale path, same missing activation

Since toPublicSkill() (public.ts:56) filters out any skill where moderationStatus !== 'active', these skills never appear in search results or on the website despite the CLI returning success.

Fix: Call setSkillModerationStatusActiveInternal in all three paths so the skill becomes searchable. If VT later returns a malicious/suspicious verdict, approveSkillByHashInternal will correctly re-hide and flag it — the existing blocked.malware flag check in toPublicSkill (line 57) is unaffected.

• convex/vt.ts — 3 activation calls added (no-API-key path + 2 stale paths)
• convex/lib/public.test.ts — 5 new tests documenting moderation filtering behavior

Test plan

• All 433 existing tests pass (vitest run)
• New tests cover toPublicSkill moderation filtering: active, hidden, undefined (legacy), soft-deleted, blocked.malware
• Lint clean (oxlint --type-aware)
• Verify on staging: publish a skill with VT disabled, confirm it appears in search

🤖 Generated with Claude Code

Greptile Overview

Greptile Summary

This PR fixes a critical issue where published skills would be permanently hidden when VirusTotal scanning fails or times out. The root cause was correctly identified: insertVersion sets moderationStatus: 'hidden' on publish (skills.ts:3180), and without a VT verdict, skills never become searchable.

The fix adds three activation calls to make skills visible when VT scanning is unavailable:

• When VT_API_KEY is not configured (vt.ts:314)
• When VT hash is not found after 10 poll attempts (vt.ts:538)
• When VT hash exists but no Code Insight after 10 attempts (vt.ts:568)

The test additions document the toPublicSkill filtering behavior for various moderation states, which correctly validates that only 'active' skills (or legacy undefined status) appear in search, while hidden, soft-deleted, and malware-blocked skills are filtered out.

Critical issue found: The three new activation calls bypass the quality gate quarantine. Skills with moderationReason: 'quality.low' should remain hidden until manual review (see skills.ts:2335-2344), but setSkillModerationStatusActiveInternal unconditionally sets status to active. Since quality.low skills are included in the pending scan queue (skills.ts:1661), they will be incorrectly activated when VT stales out.

Confidence Score: 2/5

• This PR addresses a real problem but introduces a quality gate bypass vulnerability
• The PR correctly identifies and fixes the issue where skills remain permanently hidden when VT scanning fails. However, the fix introduces a critical bug: skills quarantined by the quality gate (moderationReason: 'quality.low') will be incorrectly activated when VT scans time out, bypassing the manual review requirement enforced in approveSkillByHashInternal (skills.ts:2335-2344)
• Pay close attention to convex/vt.ts - all three activation calls need to check for quality.low quarantine before activating skills

_{Last reviewed commit: fb76bdf}

[vercel]

@superlowburn is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

_{2 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

bypasses quality gate quarantine - skills with moderationReason: 'quality.low' will be activated even though they should remain hidden

check the skill's moderationReason before activating:

Suggested change

	// Activate the skill so it appears in search — absence of a VT
	// verdict should not permanently hide a published skill.
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId,
	})
	// Activate the skill so it appears in search — absence of a VT
	// verdict should not permanently hide a published skill.
	const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, { skillId })
	if (skill?.moderationReason !== 'quality.low') {
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId,
	})
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/vt.ts
Line: 536:540

Comment:
bypasses quality gate quarantine - skills with `moderationReason: 'quality.low'` will be activated even though they should remain hidden

check the skill's `moderationReason` before activating:

```suggestion
            // Activate the skill so it appears in search — absence of a VT
            // verdict should not permanently hide a published skill.
            const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, { skillId })
            if (skill?.moderationReason !== 'quality.low') {
              await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
                skillId,
              })
            }
```

How can I resolve this? If you propose a fix, please make it concise.

[superlowburn]

Fixed in commit a8e62e2. Added getSkillByIdInternal lookup and check if (skill?.moderationReason !== "quality.low") before activating the skill. This ensures that skills in quality gate quarantine remain hidden even when VT scan is unavailable.

[greptile-apps]

same quality gate bypass issue as above

Suggested change

	// Activate the skill so it appears in search — absence of a VT
	// verdict should not permanently hide a published skill.
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId,
	})
	// Activate the skill so it appears in search — absence of a VT
	// verdict should not permanently hide a published skill.
	const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, { skillId })
	if (skill?.moderationReason !== 'quality.low') {
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId,
	})
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/vt.ts
Line: 566:570

Comment:
same quality gate bypass issue as above

```suggestion
            // Activate the skill so it appears in search — absence of a VT
            // verdict should not permanently hide a published skill.
            const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, { skillId })
            if (skill?.moderationReason !== 'quality.low') {
              await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
                skillId,
              })
            }
```

How can I resolve this? If you propose a fix, please make it concise.

[superlowburn]

Fixed in commit a8e62e2. Same fix applied here — added skill lookup and moderationReason check before activating. Skills with quality.low moderation reason will not be activated.

[greptile-apps]

same quality gate bypass - check moderationReason before activating

Suggested change

	console.log('VT_API_KEY not configured, skipping scan — activating skill')
	// Activate the skill so it appears in search despite no VT scan.
	const version = await ctx.runQuery(internal.skills.getVersionByIdInternal, {
	versionId: args.versionId,
	})
	if (version) {
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId: version.skillId,
	})
	}
	console.log('VT_API_KEY not configured, skipping scan — activating skill')
	// Activate the skill so it appears in search despite no VT scan.
	const version = await ctx.runQuery(internal.skills.getVersionByIdInternal, {
	versionId: args.versionId,
	})
	if (version) {
	const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, {
	skillId: version.skillId,
	})
	if (skill?.moderationReason !== 'quality.low') {
	await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
	skillId: version.skillId,
	})
	}
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: convex/vt.ts
Line: 308:317

Comment:
same quality gate bypass - check `moderationReason` before activating

```suggestion
      console.log('VT_API_KEY not configured, skipping scan — activating skill')
      // Activate the skill so it appears in search despite no VT scan.
      const version = await ctx.runQuery(internal.skills.getVersionByIdInternal, {
        versionId: args.versionId,
      })
      if (version) {
        const skill = await ctx.runQuery(internal.skills.getSkillByIdInternal, {
          skillId: version.skillId,
        })
        if (skill?.moderationReason !== 'quality.low') {
          await ctx.runMutation(internal.skills.setSkillModerationStatusActiveInternal, {
            skillId: version.skillId,
          })
        }
      }
```

How can I resolve this? If you propose a fix, please make it concise.

[superlowburn]

Fixed in commit a8e62e2. Same fix applied — added skill lookup and moderationReason check before activating. This prevents quality gate quarantine bypass in the non-VT-API path.

[steipete]

I rather opt to not show a skill than to show one without scan. We are a target.

[superlowburn]

Thank you for flagging this security concern entirely. You are right that showing skills without a VT scan is too risky given we are a target.

I will revise this PR to remove the activation calls entirely. Instead of auto-activating skills when VT is unavailable/stales, we should:

1. Keep skills moderationStatus: 'hidden' when VT is not configured or times out
2. Update the CLI/server response to clearly indicate 'pending_scan' or 'scan_unavailable' instead of incorrectly returning success
3. Consider a manual admin activation path for the VT-unconfigured case if needed (with explicit approval)

The current fix prioritizes availability over security, which is the wrong tradeoff. I will prepare a revised patch that keeps the quarantine intact and improves observability so publishers understand why their skills aren't appearing.

Let me refactor this to address your feedback.