feat(marketplace): implement marketplace feature for VS Code extension

[markijbema]

Fixes #6067

Marketplace Feature Implementation

Implements the full marketplace feature for the Kilo VS Code extension, allowing users to browse, install, and remove MCP Servers, Modes, and Skills from the Kilo marketplace catalog.

What's Included

Extension-Side Services

• API Client - Fetches modes, MCPs, and skills from api.kilo.ai with 5-minute in-memory cache and retry logic (3 attempts, exponential backoff)
• Installation Detection - Scans CLI config files (YAML modes, JSON MCPs, skill directories) to determine what is installed at project and global scope
• Installer - Handles installation of modes (YAML write), MCPs (JSON write with template substitution), and skills (tarball download + extract)
• Uninstaller - Removes modes from YAML, MCPs from JSON, and skill directories
• Path Resolution - Resolves config file paths for project and global scopes
• Service Orchestrator - Coordinates all sub-services, opens files in editor on install, shows VS Code notifications

IPC Protocol

• fetchMarketplaceData / marketplaceData
• installMarketplaceItem / marketplaceInstallResult
• removeInstalledMarketplaceItem / marketplaceRemoveResult
• filterMarketplaceItems

Webview UI

• MarketplaceView - Top-level component with 3-tab UI (MCP Servers, Modes, Skills)
• MarketplaceListView - Shared list for MCP/Mode tabs with search, installed-status filter, tag multi-select
• SkillsMarketplace - Skills tab with search and category toggle buttons
• Item Cards - Cards showing name, author, description, install/remove button, installed badge, clickable tags
• InstallModal - Scope selection, installation method picker, prerequisites, parameter form with validation
• RemoveDialog - Confirmation dialog before removal

Telemetry

• Marketplace Tab Viewed
• Marketplace Install Button Clicked
• Marketplace Item Installed
• Marketplace Item Removed

Not Yet Implemented

• Organization integration (hide MCPs, org-provided MCPs section)
• Post-install navigation buttons

Spec Reference

• Full specification: packages/kilo-vscode/docs/non-agent-features/marketplace-specification.md
• Parity requirements: packages/kilo-vscode/docs/non-agent-features/marketplace.md

[markijbema]

(not ready but i want bot review)

[markijbema]

Fixes #6067

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	1
WARNING	1
SUGGESTION	0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

CRITICAL

File	Line	Issue
packages/kilo-vscode/src/KiloProvider.ts	674	Mode removal ignores the selected scope and can delete the wrong installation

WARNING

File	Line	Issue
packages/opencode/src/agent/agent.ts	519	Removing marketplace modes from supported .jsonc configs fails with JSON.parse

Other Observations (not in diff)

No additional issues outside diff hunks.

Files Reviewed (12 files)

• packages/kilo-vscode/src/KiloProvider.ts - 1 issue
• packages/kilo-vscode/src/SettingsEditorProvider.ts - 0 issues
• packages/kilo-vscode/src/project-directory.ts - 0 issues
• packages/kilo-vscode/src/services/marketplace/api.ts - 0 issues
• packages/kilo-vscode/src/services/marketplace/detection.ts - 0 issues
• packages/kilo-vscode/src/services/marketplace/index.ts - 0 issues
• packages/kilo-vscode/src/services/marketplace/installer.ts - 0 new issues
• packages/kilo-vscode/src/services/marketplace/paths.ts - 0 new issues
• packages/kilo-vscode/webview-ui/src/App.tsx - 0 issues
• packages/kilo-vscode/webview-ui/src/components/marketplace/MarketplaceView.tsx - 0 new issues
• packages/kilo-vscode/webview-ui/src/components/marketplace/InstallModal.tsx - 0 new issues
• packages/opencode/src/agent/agent.ts - 1 issue

---

_{Reviewed by gpt-5.4-20260305 · 2,383,727 tokens}

[kilo-code-bot]

WARNING: Editor-opening failures can mask a successful install

At this point the filesystem install has already completed, but a showTextDocument() rejection will bubble out of MarketplaceService.install() and prevent marketplaceInstallResult from being posted back to the webview. That leaves the UI treating a completed install as a failed or hung request. Wrapping the editor-opening step as best-effort keeps the returned result aligned with the actual install outcome.

[kilo-code-bot]

WARNING: Symlinked skills are skipped during install detection

Kilo's skill discovery already supports .kilocode/skills/<name> symlinks, but readdir(..., { withFileTypes: true }) reports those entries as symbolic links, not directories. This guard skips them, so the marketplace metadata marks linked skills as uninstalled and can offer duplicate install/remove actions.

Suggested change

	if (!entry.isDirectory()) continue
	if (!entry.isDirectory() && !entry.isSymbolicLink()) continue

[kilo-code-bot]

WARNING: Concurrent removals overwrite each other's tracking

pendingRemove only stores one in-flight item. Because the UI keeps the other Remove buttons enabled after confirmation, confirming removal B before removal A finishes replaces A here; when A's result comes back, the handler will attribute it to B and then clear the only pending slot, so B's later response loses its context entirely. Track removals by slug/request id, or block additional removals until the current one completes.

[kilo-code-bot]

WARNING: Stale marketplace responses can overwrite the current workspace

fetchMarketplaceData is sent on mount and again whenever workspaceDirectory changes, but marketplaceData has no workspace or request identifier. If a slower response from workspace A arrives after the user has already switched to workspace B, this handler will still replace items and marketplaceInstalledMetadata with A's state, so the panel can show install status for the wrong project.

[kilo-code-bot]

WARNING: Project scope goes stale after the panel opens

This only snapshots the active workspace when openPanel() runs. If the user leaves the marketplace panel open and switches to a different workspace folder, later project-scoped installs/removals still use the old directory until the panel is reopened, so actions can be applied to the wrong repo in a multi-root workspace.

[markijbema]

why? this should just be the dir of the currently opened workspace and not be depnedent on teh session i think?

[kilo-code-bot]

WARNING: Remove always targets the project copy when both scopes are installed

isInstalled() collapses the install state down to a single scope and prefers "project". If the same marketplace item is installed both globally and in the project, clicking Remove here can never target the global copy first, so the uninstall appears to fail because the card stays installed after the project entry is deleted.

[kilo-code-bot]

WARNING: Standalone panel overrides are still lost after a session load

getProjectDirectory() establishes the new override/null contract for standalone panels, but loadMessages() still emits workspaceDirectoryChanged with getWorkspaceDirectory(sessionID) later in this file. Because the webview server context treats that message as authoritative, loading or switching sessions can overwrite the panel's explicit project selection and re-enable project-scoped installs for the wrong workspace.

[kilo-code-bot]

WARNING: A single malformed skill record drops the entire skills catalog

transformSkill() assumes every marketplace item has string id and category values. If the API returns one partial/bad row, items.map(transformSkill) will throw on kebabToTitleCase(undefined), and fetchAll() then replaces the whole skills response with []. Validating or skipping invalid entries here would keep the rest of the marketplace visible during a partial rollout or bad publish.

[kilo-code-bot]

WARNING: Global marketplace skills are stored in the wrong layer

~/.kilocode/skills is the generic user-global skills directory, while the CLI and migration docs treat <VS Code globalStorage>/skills as the location for marketplace-installed skills. Writing marketplace installs here collapses those two layers, so precedence changes and the install no longer follows the actual host editor storage path passed in KILO_VSCODE_STORAGE_PATH.

[kilo-code-bot]

WARNING: This test instantiates MarketplacePaths with an argument the class no longer accepts. TypeScript will flag Expected 0 arguments, but got 1, so the new test suite will not compile as written.

Suggested change

	const paths = new MarketplacePaths(path.join(workspace, "storage"))
	const paths = new MarketplacePaths()

[kilo-code-bot]

WARNING: MarketplaceService also has a zero-argument constructor now, so this test currently fails type-checking before it can exercise the install path.

Suggested change

	const service = new MarketplaceService("/tmp/kilo-marketplace-service")
	const service = new MarketplaceService()

[kilo-code-bot]

WARNING: Null marketplace payloads crash this fetch path

parseResponse() can return null for an empty document or a literal null, but this line dereferences parsed.items immediately. That throws before fetchAll() can turn the failure into a user-visible errors[] entry, so a transient bad marketplace response breaks the whole load instead of degrading gracefully. The same object guard is needed in fetchMcps() and fetchSkills() as well.

[kilo-code-bot]

WARNING: Install results are not correlated to a specific request

This listener accepts any marketplaceInstallResult for the same item.id, but the response payload only carries slug. If the modal is closed and reopened for the same item before an earlier request finishes, a delayed result from the old install will be applied to the new modal and reported with the current scope() on line 48. That can show the wrong success/failure state and emit follow-up telemetry/refreshes for the wrong target.

[kilo-code-bot]

WARNING: Marketplace modes with an mcp group lose skill access

Config.Permission and the skill tool use the skill permission key, not mcp. With this mapping, a mode that declares groups: ["mcp"] is written as { mcp: "allow" }, which the runtime does not honor, so the installed agent still prompts/blocks when it tries to use skills. ALL_PERMISSIONS is also keyed to mcp, so skill never receives the intended explicit allow/deny here.

[kilo-code-bot]

WARNING: Project-scoped marketplace paths can throw without a resolved workspace

Standalone panels intentionally allow projectDirectory to be absent in ambiguous multi-root cases. If a project-scope install/remove reaches this helper with workspace === undefined, path.join(workspace!, ...) throws ERR_INVALID_ARG_TYPE instead of falling back to global scope or returning a clean validation error.

[kilo-code-bot]

CRITICAL: Mode removal ignores the selected scope

removeInstalledMarketplaceItem computes scope, but the mode branch drops it and calls removeModeViaCli() with only the item payload. The CLI removeAgent path is unscoped and Agent.remove() scans both project and global config sources, so clicking the project/global remove button here can delete the mode from the wrong location (or from both).

[kilo-code-bot]

WARNING: Supported .jsonc configs will fail on removal

This loop explicitly scans kilo.jsonc and opencode.jsonc, but JSON.parse(raw) rejects valid JSONC comments and trailing commas. In any project using the CLI's supported JSONC config format, removing a marketplace-installed mode throws before the agent entry can be deleted.