supports trae.ai

[ice-zjchen]

Motivation and Context

Supports superpowers in trae.ai

How Has This Been Tested

Others

• https://docs.trae.ai/ide/skills
• https://docs.trae.ai/ide/rules

Summary by CodeRabbit

• New Features

  • Introduced Trae's Superpowers system with skill discovery and management capabilities.
  • Added CLI commands: bootstrap, find-skills, and use-skill for managing custom skills.

• Documentation

  • Added complete installation and usage guides for Superpowers.
  • Included bootstrap guidelines and troubleshooting resources.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces Trae's Superpowers feature, a system for discovering and loading skills from personal and superpowers directories. It includes a Node.js CLI script for bootstrapping, finding, and using skills, along with installation guides and comprehensive documentation.

Changes

Cohort / File(s)	Summary
CLI Implementation \.trae/superpowers-trae	New Node.js CLI script orchestrating skill discovery and loading from personal and superpowers directories. Implements bootstrap flow, skill enumeration with namespace support, skill loading with personal-first precedence, and integration with skills-core for metadata extraction.
Setup & Configuration \.trae/INSTALL.md, \.trae/superpowers-bootstrap.md	Installation guide and bootstrap guidelines. Covers repository cloning, directory structure, rules configuration, and verification steps. Bootstrap file defines tool mappings, naming conventions, skill-loading requirements, and critical operational rules.
User Documentation README.md, docs/README.trae.md	Documentation additions to main README and new comprehensive Trae guide. Covers quick/manual installation, command usage (bootstrap, find-skills, use-skill), personal skills setup, architecture overview, troubleshooting, and help resources.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI as superpowers-trae CLI
    participant SkillsCore
    participant PersonalDir as ~/.trae/skills
    participant SuperpowersDir as ~/.trae/superpowers

    User->>CLI: bootstrap command
    CLI->>CLI: Print bootstrap header
    CLI->>SkillsCore: checkForUpdates()
    CLI->>CLI: Read & display bootstrap.md
    CLI->>PersonalDir: List skills
    CLI->>SuperpowersDir: List skills
    CLI->>CLI: Print available skills
    CLI->>CLI: Auto-load superpowers:using-superpowers

    User->>CLI: use-skill [skill-name]
    CLI->>PersonalDir: Check for skill (1st priority)
    alt Personal skill found
        CLI->>PersonalDir: Read SKILL.md
    else
        CLI->>SuperpowersDir: Check superpowers directory
        CLI->>SuperpowersDir: Read SKILL.md
    end
    CLI->>SkillsCore: extractFrontmatter() & stripFrontmatter()
    CLI->>User: Print skill metadata & content

    User->>CLI: find-skills command
    CLI->>PersonalDir: Enumerate all skills
    CLI->>CLI: Print personal skills
    CLI->>SuperpowersDir: Enumerate all skills
    CLI->>CLI: Print superpowers: prefixed skills

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add problem-solving skills from amplifier patterns #1: Adds SKILL.md files that the new CLI discovers and loads from the superpowers and personal directories.
• Add personal superpowers overlay system #2: Implements complementary skill discovery and loading behavior with similar personal-first precedence and bootstrap setup patterns.

Poem

🐰 A rabbit hops with glee,
Superpowers now set free!
Skills to find, to load, to use,
Bootstrap paths, none to lose—
Magic flows through CLI streams,
Making Trae fulfill its dreams! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'supports trae.ai' is vague and generic, failing to clearly convey the specific changes being made to the codebase.	Revise the title to be more specific and descriptive, such as 'Add Trae superpowers integration with bootstrap and CLI tooling' to better reflect the actual changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @.trae/INSTALL.md:
- Around line 7-12: Replace the forked clone URL in the installation
instructions: locate the git clone command that uses
"https://github.com/ice-zjchen/superpowers.git" in .trae/INSTALL.md and update
it to the upstream canonical URL "https://github.com/obra/superpowers.git" so
the installation block (the git clone line) points to the upstream repository.

In @.trae/superpowers-trae:
- Around line 140-151: The code strips prefixes from skillName into
actualSkillPath but does not prevent path traversal (e.g., ".."), so the later
path.join calls can escape intended directories; to fix, after computing
actualSkillPath call path.resolve against each base directory used (the
superpowers base, personal skills base, and fallback superpowers base used in
the path.join operations) and verify the resolved path starts with the
corresponding base directory (or is equal) before using it; if the check fails,
reject the request or throw an error. Ensure you apply this validation for the
paths constructed for superpowers (where forceSuperpowers is true), the personal
skills path branch, and the fallback superpowers path so that actualSkillPath
cannot traverse outside the allowed directories.

In `@docs/README.trae.md`:
- Around line 25-28: Update the manual installation clone command to point to
the upstream repository by replacing the clone URL string
"https://github.com/ice-zjchen/superpowers.git" with
"https://github.com/obra/superpowers.git" in the README snippet so the mkdir +
git clone sequence uses the upstream repo.
- Around line 9-11: Replace the forked raw GitHub URL in the README.trae.md (the
string
"https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md")
with the upstream repository URL
"https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md";
also search for the same forked URL occurrence in INSTALL.md and update it to
the upstream URL to ensure all references point to obra/superpowers.

In `@README.md`:
- Around line 80-88: The README's Trae section contains a URL pointing to the
contributor's fork; update the URL string literal
"https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md"
to the upstream repository
"https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md"
so the Trae install instruction references the canonical source; edit the
README.md Trae block where that URL appears.

🧹 Nitpick comments (3)

.trae/superpowers-trae (3)

29-33: Unused variable and missing error handling.

The name variable is destructured but never used. Additionally, extractFrontmatter could fail if the skill file doesn't exist or is malformed, which would crash the CLI during skill enumeration.

♻️ Suggested fix

-    // Extract and print metadata
-    const { name, description } = skillsCore.extractFrontmatter(skillFile);
-
-    if (description) console.log(`  ${description}`);
+    // Extract and print metadata
+    try {
+        const { description } = skillsCore.extractFrontmatter(skillFile);
+        if (description) console.log(`  ${description}`);
+    } catch (error) {
+        // Silently skip metadata if extraction fails
+    }

---

171-199: Inconsistent logging for forced superpowers namespace.

When forceSuperpowers is true (lines 172-176), the skill loads silently without the "Loading superpowers skill" message that appears in the fallback path (lines 193-197). This creates inconsistent user feedback.

♻️ Suggested fix

     if (forceSuperpowers) {
         if (fs.existsSync(superpowersSkillsDir)) {
             const superpowersPath = path.join(superpowersSkillsDir, actualSkillPath);
             skillFile = findSkillFile(superpowersPath);
+            if (skillFile) {
+                console.log(`# Loading superpowers skill: superpowers:${actualSkillPath}`);
+                console.log(`# Source: ${skillFile}`);
+                console.log('');
+            }
         }
     } else {

---

222-224: Fragile path comparison using includes().

Using skillFile.includes(personalSkillsDir) for determining the skill source is unreliable. A path like /home/user/.trae/skills-backup/foo/SKILL.md would incorrectly match if personalSkillsDir is /home/user/.trae/skills.

♻️ Suggested fix

-    const displayName = forceSuperpowers ? `superpowers:${actualSkillPath}` :
-                       (skillFile.includes(personalSkillsDir) ? actualSkillPath : `superpowers:${actualSkillPath}`);
+    const isPersonalSkill = path.resolve(skillFile).startsWith(path.resolve(personalSkillsDir) + path.sep);
+    const displayName = forceSuperpowers ? `superpowers:${actualSkillPath}` :
+                       (isPersonalSkill ? actualSkillPath : `superpowers:${actualSkillPath}`);

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Repository URL points to fork instead of upstream.

The clone URL https://github.com/ice-zjchen/superpowers.git references the PR author's fork. Before merging, this should be updated to the upstream repository URL https://github.com/obra/superpowers.git to ensure users clone from the canonical source.

🔧 Suggested fix

 1. **Clone superpowers repository**:
    ```bash
    mkdir -p ~/.trae/superpowers
    cd ~/.trae/superpowers
-   git clone https://github.com/ice-zjchen/superpowers.git .
+   git clone https://github.com/obra/superpowers.git .
    ```

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. **Clone superpowers repository**:
	```bash
	mkdir -p ~/.trae/superpowers
	cd ~/.trae/superpowers
	git clone https://github.com/ice-zjchen/superpowers.git .
	```
	1. **Clone superpowers repository**:

🤖 Prompt for AI Agents

In @.trae/INSTALL.md around lines 7 - 12, Replace the forked clone URL in the
installation instructions: locate the git clone command that uses
"https://github.com/ice-zjchen/superpowers.git" in .trae/INSTALL.md and update
it to the upstream canonical URL "https://github.com/obra/superpowers.git" so
the installation block (the git clone line) points to the upstream repository.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Potential path traversal vulnerability.

The actualSkillPath is derived from user input (skillName) with only namespace and skills/ prefix stripping. If a user passes a skill name containing .. sequences (e.g., superpowers:../../etc/passwd), the path.join on lines 174, 180, and 191 could resolve to paths outside the intended skill directories, potentially allowing arbitrary file reads.

🔒 Suggested fix: Validate the resolved path stays within allowed directories

+    // Sanitize skill path to prevent directory traversal
+    function isPathWithinDir(filePath, dirPath) {
+        const resolvedFile = path.resolve(filePath);
+        const resolvedDir = path.resolve(dirPath);
+        return resolvedFile.startsWith(resolvedDir + path.sep);
+    }
+
     // If superpowers: namespace was used, only check superpowers skills
     if (forceSuperpowers) {
         if (fs.existsSync(superpowersSkillsDir)) {
             const superpowersPath = path.join(superpowersSkillsDir, actualSkillPath);
+            if (!isPathWithinDir(superpowersPath, superpowersSkillsDir)) {
+                console.log(`Error: Invalid skill path: ${actualSkillPath}`);
+                return;
+            }
             skillFile = findSkillFile(superpowersPath);
         }

Apply similar validation for the personal skills path (line 180) and the fallback superpowers path (line 191).

🤖 Prompt for AI Agents

In @.trae/superpowers-trae around lines 140 - 151, The code strips prefixes from
skillName into actualSkillPath but does not prevent path traversal (e.g., ".."),
so the later path.join calls can escape intended directories; to fix, after
computing actualSkillPath call path.resolve against each base directory used
(the superpowers base, personal skills base, and fallback superpowers base used
in the path.join operations) and verify the resolved path starts with the
corresponding base directory (or is equal) before using it; if the check fails,
reject the request or throw an error. Ensure you apply this validation for the
paths constructed for superpowers (where forceSuperpowers is true), the personal
skills path branch, and the fallback superpowers path so that actualSkillPath
cannot traverse outside the allowed directories.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Repository URL points to fork instead of upstream.

Same issue as in INSTALL.md - this URL references the PR author's fork and should be updated to the upstream repository before merging.

🔧 Suggested fix

-Fetch and follow instructions from https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md
+Fetch and follow instructions from https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```
	Fetch and follow instructions from https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md
	```

🤖 Prompt for AI Agents

In `@docs/README.trae.md` around lines 9 - 11, Replace the forked raw GitHub URL
in the README.trae.md (the string
"https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md")
with the upstream repository URL
"https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md";
also search for the same forked URL occurrence in INSTALL.md and update it to
the upstream URL to ensure all references point to obra/superpowers.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Repository URL points to fork instead of upstream.

The manual installation clone URL also needs updating to the upstream repository.

🔧 Suggested fix

 ```bash
 mkdir -p ~/.trae/superpowers
-git clone https://github.com/ice-zjchen/superpowers.git ~/.trae/superpowers
+git clone https://github.com/obra/superpowers.git ~/.trae/superpowers

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🤖 Prompt for AI Agents

In `@docs/README.trae.md` around lines 25 - 28, Update the manual installation
clone command to point to the upstream repository by replacing the clone URL
string "https://github.com/ice-zjchen/superpowers.git" with
"https://github.com/obra/superpowers.git" in the README snippet so the mkdir +
git clone sequence uses the upstream repo.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Repository URL points to fork instead of upstream.

The Trae installation URL references the PR author's fork. Update to the upstream repository URL for consistency with other documentation.

🔧 Suggested fix

 ### Trae

 Tell Trae:

-Fetch and follow instructions from https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md
+Fetch and follow instructions from https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md

**Detailed docs:** [docs/README.trae.md](docs/README.trae.md)

The section structure and placement are consistent with the existing Codex and OpenCode sections. 👍

🤖 Prompt for AI Agents

In `@README.md` around lines 80 - 88, The README's Trae section contains a URL
pointing to the contributor's fork; update the URL string literal
"https://raw.githubusercontent.com/ice-zjchen/superpowers/refs/heads/main/.trae/INSTALL.md"
to the upstream repository
"https://raw.githubusercontent.com/obra/superpowers/refs/heads/main/.trae/INSTALL.md"
so the Trae install instruction references the canonical source; edit the
README.md Trae block where that URL appears.