fix(integration): align Kimi dispatch and harden legacy migration

- Override build_command_invocation to emit /skill:speckit-<stem>
  so dispatched commands match Kimi Code CLI's native slash syntax.
- Skip symlinked .kimi/skills directories during legacy migration
  and teardown to avoid operating on files outside the project.
- Remove kimi from the multi-install-safe integrations table.
- Add tests for command invocation and symlink safety.

Author: meymchen

docs/reference/integrations.md

@@ -187,7 +187,6 @@ The currently declared multi-install safe integrations are:
 | `iflow` | `.iflow/commands`, `IFLOW.md` |
 | `junie` | `.junie/commands`, `.junie/AGENTS.md` |
 | `kilocode` | `.kilocode/workflows`, `.kilocode/rules/specify-rules.md` |
-| `kimi` | `.kimi-code/skills`, `AGENTS.md` |
 | `qodercli` | `.qoder/commands`, `QODER.md` |
 | `qwen` | `.qwen/commands`, `QWEN.md` |
 | `roo` | `.roo/commands`, `.roo/rules/specify-rules.md` |

src/specify_cli/integrations/kimi/__init__.py

@@ -38,6 +38,25 @@ class KimiIntegration(SkillsIntegration):
     context_file = "AGENTS.md"
     multi_install_safe = False
 
+    def build_command_invocation(self, command_name: str, args: str = "") -> str:
+        """Build Kimi's native skill invocation: ``/skill:speckit-<stem>``.
+
+        Kimi Code CLI invokes installed skills with a ``/skill:<name>``
+        slash command (e.g. ``/skill:speckit-plan``), not the bare
+        ``/speckit-<name>`` form produced by the generic skills base
+        class. Overriding here keeps ``dispatch_command()`` and workflow
+        command steps aligned with the ``/skill:`` guidance shown at init
+        time and in rendered hook invocations.
+        """
+        stem = command_name
+        if stem.startswith("speckit."):
+            stem = stem[len("speckit."):]
+
+        invocation = "/skill:speckit-" + stem.replace(".", "-")
+        if args:
+            invocation = f"{invocation} {args}"
+        return invocation
+
     @classmethod
     def options(cls) -> list[IntegrationOption]:
         return [
@@ -77,7 +96,7 @@ def setup(
         if parsed_options.get("migrate_legacy", False):
             new_skills_dir = self.skills_dest(project_root)
             old_skills_dir = project_root / ".kimi" / "skills"
-            if old_skills_dir.is_dir():
+            if _is_safe_legacy_dir(old_skills_dir, project_root):
                 _migrate_legacy_kimi_skills_dir(old_skills_dir, new_skills_dir)
             _migrate_legacy_kimi_context_file(project_root)
 
@@ -94,12 +113,12 @@ def teardown(
         removed, skipped = super().teardown(project_root, manifest, force=force)
 
         old_skills_dir = project_root / ".kimi" / "skills"
-        if old_skills_dir.is_dir():
+        if _is_safe_legacy_dir(old_skills_dir, project_root):
             legacy_dirs = sorted(
                 [*old_skills_dir.glob("speckit-*"), *old_skills_dir.glob("speckit.*")]
             )
             for legacy_dir in legacy_dirs:
-                if not legacy_dir.is_dir():
+                if legacy_dir.is_symlink() or not legacy_dir.is_dir():
                     continue
                 if _is_speckit_generated_skill(legacy_dir):
                     try:
@@ -116,6 +135,26 @@ def teardown(
         return removed, skipped
 
 
+def _is_safe_legacy_dir(path: Path, project_root: Path) -> bool:
+    """Return ``True`` when *path* is a real directory safely inside *project_root*.
+
+    Legacy migration and cleanup ``shutil.move()`` and ``shutil.rmtree()``
+    directories, so a symlinked ``.kimi``/``.kimi/skills`` (or one reached
+    through a symlinked parent) must never be followed: doing so could
+    relocate or delete content living outside the project tree. We reject
+    the path when it is itself a symlink, when it is not a directory, or
+    when resolving every symlink lands outside *project_root*.
+    """
+    if path.is_symlink() or not path.is_dir():
+        return False
+    try:
+        resolved = path.resolve()
+        root = project_root.resolve()
+    except OSError:
+        return False
+    return resolved == root or root in resolved.parents
+
+
 def _migrate_legacy_kimi_skills_dir(
     old_skills_dir: Path, new_skills_dir: Path
 ) -> tuple[int, int]:
@@ -140,7 +179,7 @@ def _migrate_legacy_kimi_skills_dir(
     )
 
     for legacy_dir in legacy_dirs:
-        if not legacy_dir.is_dir():
+        if legacy_dir.is_symlink() or not legacy_dir.is_dir():
             continue
         if not (legacy_dir / "SKILL.md").exists():
             continue

tests/integrations/test_integration_kimi.py

@@ -239,6 +239,77 @@ def test_teardown_preserves_user_skills_in_legacy_dir(self, tmp_path):
         assert user_skill.exists()
 
 
+class TestKimiCommandInvocation:
+    """Kimi dispatch must use the native ``/skill:`` slash command."""
+
+    def test_build_command_invocation_uses_skill_prefix(self):
+        i = get_integration("kimi")
+        assert i.build_command_invocation("specify") == "/skill:speckit-specify"
+        assert i.build_command_invocation("speckit.plan") == "/skill:speckit-plan"
+
+    def test_build_command_invocation_dotted_extension(self):
+        i = get_integration("kimi")
+        assert (
+            i.build_command_invocation("speckit.git.commit")
+            == "/skill:speckit-git-commit"
+        )
+
+    def test_build_command_invocation_appends_args(self):
+        i = get_integration("kimi")
+        assert (
+            i.build_command_invocation("specify", "my feature")
+            == "/skill:speckit-specify my feature"
+        )
+
+
+class TestKimiLegacySymlinkSafety:
+    """Legacy migration/cleanup must not follow symlinks out of the project."""
+
+    def test_migrate_skips_symlinked_legacy_skills_dir(self, tmp_path):
+        # An attacker-controlled directory outside the project root. Use a
+        # non-template skill name so a successful migration would be visible
+        # (the bundled templates never create "speckit-evillegacy").
+        outside = tmp_path / "outside"
+        (outside / "speckit-evillegacy").mkdir(parents=True)
+        (outside / "speckit-evillegacy" / "SKILL.md").write_text("# evil\n")
+
+        project = tmp_path / "project"
+        (project / ".kimi").mkdir(parents=True)
+        # .kimi/skills is a symlink to the outside directory.
+        (project / ".kimi" / "skills").symlink_to(
+            outside, target_is_directory=True
+        )
+
+        i = get_integration("kimi")
+        m = IntegrationManifest("kimi", project)
+        i.setup(project, m, parsed_options={"migrate_legacy": True})
+
+        # Outside content must be untouched (not moved into .kimi-code).
+        assert (outside / "speckit-evillegacy" / "SKILL.md").exists()
+        assert not (
+            project / ".kimi-code" / "skills" / "speckit-evillegacy"
+        ).exists()
+
+    def test_teardown_skips_symlinked_legacy_skills_dir(self, tmp_path):
+        outside = tmp_path / "outside"
+        outside.mkdir()
+        keep = outside / "keep.txt"
+        keep.write_text("important\n")
+
+        project = tmp_path / "project"
+        (project / ".kimi").mkdir(parents=True)
+        (project / ".kimi" / "skills").symlink_to(
+            outside, target_is_directory=True
+        )
+
+        i = get_integration("kimi")
+        m = IntegrationManifest("kimi", project)
+        i.teardown(project, m)
+
+        # The symlink target and its contents must survive teardown.
+        assert keep.exists()
+
+
 class TestKimiNextSteps:
     """CLI output tests for kimi next-steps display."""