merge: 合并 npm-release-integration 到 npm-release

# Conflicts:
#	README.md
#	package-lock.json
#	package.json
#	server/src/app.module.ts
#	web/dist/index.html

Author: claude

README.md

@@ -16,7 +16,9 @@ Secbot is an AI-powered TypeScript security automation workspace with a NestJS b
 - End-to-end TypeScript architecture (`NestJS + Ink + SQLite`).
 - `secbot` binary that starts terminal UI with local spawned backend by default.
 - `secbot-server` binary for backend-only API scenarios.
-- Multi-agent orchestration with planning, tool execution, and summarization.
+- `secbot-mcp` binary that exposes Secbot tools as a stdio MCP server.
+- Shared skills management across REST, TUI slash commands, CLI subcommands, and internal tools.
+- Multi-agent orchestration with planning, tool execution, MCP bridging, and summarization.
 - Built-in security tool modules for web, network, OSINT, defense, and reporting workflows.
 
 ### Source-tree orchestration (contributors)
@@ -79,7 +81,15 @@ secbot
 secbot-server
 ```
 
-### 4. Attach to an existing backend (optional)
+### 4. Start MCP server mode (optional)
+
+```bash
+secbot-mcp
+```
+
+Set `SECBOT_MCP_ALLOW_SENSITIVE=true` only when you intentionally want MCP clients to see sensitive tools.
+
+### 5. Attach to an existing backend (optional)
 
 ```bash
 # Recommended explicit service mode
@@ -95,6 +105,53 @@ SECBOT_TUI_BACKEND=remote SECBOT_API_URL=http://127.0.0.1:8000 secbot
 | --- | --- |
 | `secbot` | Start terminal UI (default: spawn local backend; optional service mode) |
 | `secbot-server` | Start NestJS backend only |
+| `secbot-mcp` | Expose Secbot tools through stdio MCP |
+
+## Skills Management
+
+Secbot now exposes one shared skills layer for product and automation surfaces.
+
+### TUI slash commands
+
+```text
+/skills
+/skill <name>
+/create-skill <name> [--description ...] [--trigger ...] [--tag ...] [--prerequisite ...] [--author ...]
+```
+
+### CLI subcommands
+
+```bash
+secbot skills list
+secbot skills view <name>
+secbot skills create <name> --description "..." --trigger recon --tag web
+```
+
+### REST endpoints
+
+```text
+GET  /api/skills
+GET  /api/skills/:name
+POST /api/skills
+```
+
+Created skills are scaffolded under `skills/custom/<slug>/SKILL.md` and can also be reached through the internal `list_skills`, `get_skill`, and `create_skill` tools.
+
+## MCP Integration
+
+Secbot supports MCP in both directions.
+
+### Use Secbot as an MCP server
+
+```bash
+secbot-mcp
+```
+
+This exposes the current `ToolsService` catalog over stdio MCP. Sensitive tools stay hidden by default unless `SECBOT_MCP_ALLOW_SENSITIVE=true` is set.
+
+### Call external MCP servers from Secbot
+
+Use the built-in `mcp_call` tool to connect to another stdio MCP server, list its tools, or invoke one of them from Secbot workflows.
 
 ## Source Development
 
@@ -122,6 +179,7 @@ SECBOT_TUI_BACKEND=service SECBOT_API_URL=http://127.0.0.1:8000 npm run start:tu
 | --- | --- |
 | `npm run build` | Build the NestJS backend |
 | `npm run build:terminal-ui` | Build the Ink terminal UI |
+| `npm run build:web` | Build the web frontend bundle |
 | `npm run typecheck` | Type-check server code |
 | `npm run lint` | Run ESLint |
 | `npm run format:check` | Check Prettier formatting |

npm-bin/secbot-mcp.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('../server/dist/mcp-server.js');

package-lock.json

@@ -7,13 +7,16 @@
   "main": "server/dist/main.js",
   "bin": {
     "secbot": "npm-bin/secbot.js",
-    "secbot-server": "npm-bin/secbot-server.js"
+    "secbot-server": "npm-bin/secbot-server.js",
+    "secbot-mcp": "npm-bin/secbot-mcp.js"
   },
   "files": [
     "server/dist",
     "terminal-ui/dist",
     "terminal-ui/package.json",
     "scripts/run-product.js",
+    "skills",
+    "web/dist",
     "README.md",
     "README_CN.md",
     "README_EN.md",
@@ -38,8 +41,9 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "prepack": "npm run build && npm run build:terminal-ui",
+    "prepack": "npm run build && npm run build:terminal-ui && npm run build:web",
     "build:terminal-ui": "tsc -p terminal-ui/tsconfig.json",
+    "build:web": "npm --prefix web run build",
     "pack:npm": "npm pack",
     "release:build": "npm run clean && npm run build",
     "release:pack": "npm run release:build && npm pack",
@@ -80,7 +84,8 @@
     "ink-text-input": "^5.0.1",
     "react": "^18.2.0",
     "reflect-metadata": "^0.2.2",
-    "rxjs": "^7.8.1"
+    "rxjs": "^7.8.1",
+    "zod": "^3.25.76"
   },
   "devDependencies": {
     "@emnapi/core": "1.9.2",