my-extension/
├── qwen-extension.json      # Required manifest
├── README.md               # User documentation
├── LICENSE                 # License file
├── CHANGELOG.md            # Version history
├── .gitignore              # Git ignore rules
├── QWEN.md                 # Context (if needed)
├── commands/               # Custom commands
│   ├── category1/
│   │   └── command1.md
│   └── category2/
│       └── command2.md
├── skills/                 # Skills
│   └── skill-name/
│       └── SKILL.md
├── agents/                 # Subagents
│   ├── agent1.md
│   └── agent2.md
└── mcp-server/            # MCP server code (if applicable)
    ├── src/
    │   └── server.ts
    ├── dist/
    │   └── server.js
    ├── package.json
    └── tsconfig.json

// Good
"name": "github-tools"
"name": "database-query"
"name": "code-reviewer"

// Bad
"name": "myExtension"         // Not kebab-case
"name": "tools_for_stuff"     // Underscores instead of dashes
"name": "ext"                 // Too vague

✅ commands/analyze-dependencies.md
✅ commands/test/run-e2e.md
❌ commands/cmd1.md
❌ commands/DoStuff.md

# Good
name: code-reviewer
name: test-generator
name: api-designer

# Bad
name: Helper
name: tool_1
name: myAgent

{
  "name": "my-extension",
  "version": "1.0.0",
  "mcpServers": {
    "myServer": {
      "command": "node",
      "args": ["${extensionPath}${/}dist${/}server.js"],
      "cwd": "${extensionPath}",
      "description": "Provides tools for X, Y, and Z"
    }
  },
  "contextFileName": "QWEN.md",
  "commands": "commands",
  "skills": "skills",
  "agents": "agents",
  "settings": [
    {
      "name": "API Key",
      "description": "Your API key from https://example.com/api-keys",
      "envVar": "MY_EXTENSION_API_KEY",
      "sensitive": true
    }
  ]
}

// Good - portable across platforms
"args": ["${extensionPath}${/}dist${/}server.js"]

// Bad - hardcoded paths
"args": ["/Users/me/.qwen/extensions/my-ext/dist/server.js"]
"args": ["C:\\Users\\me\\.qwen\\extensions\\my-ext\\dist\\server.js"]

// Bad - wrong path separator
"args": ["${extensionPath}/dist/server.js"]  // Breaks on Windows

{
  "version": "1.0.0"   // MAJOR.MINOR.PATCH
}

// Good
server.registerTool('search_repositories', ...)
server.registerTool('create_pull_request', ...)

// Bad
server.registerTool('search', ...)  // Too vague
server.registerTool('do_stuff', ...)

// Good
{
  description: 'Search GitHub repositories by query string, language, and stars. Returns repository name, description, URL, and star count.',
  inputSchema: z.object({
    query: z.string().describe('Search terms (supports GitHub search syntax)'),
    language: z.string().optional().describe('Filter by programming language'),
    min_stars: z.number().optional().describe('Minimum star count'),
  }).shape,
}

// Bad
{
  description: 'Searches repos',
  inputSchema: z.object({
    q: z.string(),
    lang: z.string().optional(),
  }).shape,
}

inputSchema: z.object({
  email: z.string().email().describe('Valid email address'),
  age: z.number().int().min(0).max(150).describe('Age in years'),
  url: z.string().url().describe('Valid HTTP(S) URL'),
  items: z.array(z.string()).min(1).max(100).describe('1-100 items'),
}).shape,

async ({ param }) => {
  try {
    const result = await externalApiCall(param);
    
    if (!result) {
      return {
        content: [{
          type: 'text',
          text: 'No results found',
        }],
      };
    }
    
    return {
      content: [{
        type: 'text',
        text: JSON.stringify(result, null, 2),
      }],
    };
  } catch (error) {
    return {
      content: [{
        type: 'text',
        text: `Error: ${error.message}\n\nPlease check your configuration and try again.`,
      }],
      isError: true,
    };
  }
}

// Good - structured JSON
return {
  content: [{
    type: 'text',
    text: JSON.stringify({
      status: 'success',
      count: results.length,
      results: results.map(r => ({
        id: r.id,
        name: r.name,
        description: r.description,
      })),
    }, null, 2),
  }],
};

// Bad - unformatted dump
return {
  content: [{
    type: 'text',
    text: results.toString(),
  }],
};

const timeout = (ms: number) => new Promise((_, reject) => 
  setTimeout(() => reject(new Error('Timeout')), ms)
);

const result = await Promise.race([
  externalApiCall(params),
  timeout(30000),  // 30 second timeout
]);

const cache = new Map<string, { data: any; timestamp: number }>();
const CACHE_TTL = 5 * 60 * 1000;  // 5 minutes

function getCached(key: string) {
  const cached = cache.get(key);
  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
    return cached.data;
  }
  return null;
}

server.registerTool('get_data', { ... }, async ({ query }) => {
  const cacheKey = `data:${query}`;
  const cached = getCached(cacheKey);
  
  if (cached) {
    return cached;
  }
  
  const data = await fetchData(query);
  cache.set(cacheKey, { data, timestamp: Date.now() });
  
  return data;
});

const MAX_RESULTS = 100;

server.registerTool('search', { ... }, async ({ query, limit = 10 }) => {
  const safeLimit = Math.min(limit, MAX_RESULTS);
  const results = await search(query, safeLimit);
  
  return {
    content: [{
      type: 'text',
      text: JSON.stringify({
        count: results.length,
        total: results.total,
        results: results.slice(0, safeLimit),
      }, null, 2),
    }],
  };
});

# Good - Single purpose
---
description: Search for TODO comments and list them by file
---

TODO comments in the project:

!{grep -r "TODO" . --include="*.ts" --include="*.js"}

Please organize these by file and prioritize them.

# Bad - Does too much
---
description: Search and fix TODOs and also analyze code quality
---
...

# Good
---
description: Analyzes package.json dependencies and suggests updates, including security advisories
---

# Bad
---
description: Checks dependencies
---

# Good - Limited output
!{git log --oneline -20}
!{ls -la | head -50}
!{grep -r "pattern" . | head -100}

# Bad - Unlimited output (could be huge)
!{git log}
!{find . -type f}
!{cat huge-file.log}

# Good - Handles failures
!{cat "{{args}}" 2>/dev/null || echo "File not found: {{args}}"}

# Bad - No error handling
!{cat "{{args}}"}

# Good
---
name: performance-analyzer
description: Analyzes code performance, identifies bottlenecks, calculates complexity, and suggests optimizations. Use when user asks about performance, speed, or optimization.
---

# Bad
---
name: perf
description: Performance stuff
---

# Code Review Skill

## When to Use

[Clear trigger conditions]

## Review Process

1. **Step 1**: [What to do]
2. **Step 2**: [What to do]
3. **Step 3**: [What to do]

## Output Format

[Structured format]

## Best Practices

[Guidelines to follow]

## Example

**Input**: Function that validates email addresses

**Analysis**:
- Check regex pattern correctness
- Test edge cases
- Verify error handling

**Output**: Review with specific suggestions

# Good - Specific role
---
name: api-designer
description: Specialized in designing RESTful APIs
tools:
  - Read
  - Write
---

You are an API design specialist...

# Bad - Too broad
---
name: coding-helper
description: Helps with coding
tools:
  - Read
  - Write
  - Bash
  - Grep
  - WebFetch
---

You help with code...

# Good - Only necessary tools
tools:
  - Read      # To read code
  - Write     # To write docs
  - Grep      # To search

# Bad - Excessive tools
tools:
  - Read
  - Write
  - Edit
  - Grep
  - Glob
  - Bash
  - WebFetch
  - WebSearch
  - TodoWrite

You are a test writing specialist.

## Your Approach

1. **Understand**: Read and analyze the code
2. **Plan**: Identify test cases needed
3. **Write**: Create clear, focused tests
4. **Verify**: Ensure tests run and pass

## Testing Principles

- Test behavior, not implementation
- Use descriptive test names
- Follow AAA pattern (Arrange, Act, Assert)
- Mock external dependencies
- Cover edge cases and errors

# Good
### query_database
Executes SQL queries (read-only). Always use LIMIT.
Example: SELECT * FROM users LIMIT 100

# Bad (too verbose)
### query_database
This tool allows you to execute SQL queries against the configured database.
It's important to note that this is a read-only connection, so you cannot
perform INSERT, UPDATE, or DELETE operations. When you write queries, you
should always include a LIMIT clause to avoid returning too many rows...
[continues for several paragraphs]

## Important Constraints

- Query timeout: 30 seconds
- Max results: 1000 rows
- Read-only access
- Requires API key configured

## Example Usage

1. List tables: `list_tables()`
2. Get schema: `describe_table({table: "users"})`
3. Query: `query_database({query: "SELECT * FROM users LIMIT 10"})`

// Good
{
  "name": "GitHub Personal Access Token",
  "description": "Create at https://github.com/settings/tokens with 'repo' scope",
  "envVar": "GITHUB_TOKEN",
  "sensitive": true
}

// Bad
{
  "name": "Token",
  "description": "Your token",
  "envVar": "TOKEN",
  "sensitive": true
}

{
  "settings": [
    {
      "name": "API Key",
      "envVar": "API_KEY",
      "sensitive": true     // Stored in keychain
    },
    {
      "name": "API Endpoint",
      "envVar": "API_URL",
      "sensitive": false    // Stored in .env file
    }
  ]
}

// In MCP server
const API_URL = process.env.API_URL || 'https://api.example.com';
const TIMEOUT = parseInt(process.env.TIMEOUT || '30000');
const MAX_RETRIES = parseInt(process.env.MAX_RETRIES || '3');

# Changelog

All notable changes to this extension will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/).

## [1.2.0] - 2024-01-20

### Added
- New `analyze` command for code analysis
- Support for TypeScript type checking

### Fixed
- Issue with timeout on large files

### Changed
- Improved error messages

## [1.1.0] - 2024-01-10

### Added
- Multi-file support for commands

## [1.0.0] - 2024-01-01

- Initial release

# Link locally
qwen extensions link .

# Test all features
# - Try all commands
# - Test all MCP tools
# - Verify agents work
# - Check skills are discovered

# Test with fresh install
qwen extensions uninstall my-extension
qwen extensions install /path/to/my-extension

// Good
server.registerTool('read_file', { ... }, async ({ path }) => {
  // Validate path
  if (path.includes('..') || path.startsWith('/')) {
    return {
      content: [{ type: 'text', text: 'Invalid path' }],
      isError: true,
    };
  }
  
  const safePath = join(process.cwd(), path);
  // ... read file
});

// Bad - No validation
server.registerTool('read_file', { ... }, async ({ path }) => {
  return fs.readFileSync(path, 'utf-8');  // Dangerous!
});

// Good - Never log sensitive data
if (DEBUG) {
  console.error('Making API call to:', endpoint);
  // DON'T log: API_KEY, passwords, tokens
}

// Bad
console.log('Using API key:', API_KEY);

// Good
const API_URL = 'https://api.example.com';

// Bad
const API_URL = 'http://api.example.com';

// Good
throw new Error(
  'GitHub token not configured. '
  + 'Set it with: qwen extensions settings set github-tools "GitHub Token"'
);

// Bad
throw new Error('No token');

// Good
return {
  content: [{
    type: 'text',
    text: `Failed to fetch repositories for "${owner}":\n`
      + `Error: ${error.message}\n\n`
      + `Please check that:\n`
      + `1. The username "${owner}" exists\n`
      + `2. Your GitHub token has correct permissions\n`
      + `3. You have network connectivity`,
  }],
  isError: true,
};

// Bad
return {
  content: [{ type: 'text', text: 'Error' }],
  isError: true,
};

// Good - Stream large responses
server.registerTool('fetch_large_data', { ... }, async ({ id }) => {
  const stream = await fetchDataStream(id);
  const chunks = [];
  
  for await (const chunk of stream) {
    chunks.push(chunk);
    if (chunks.length > 1000) break;  // Limit
  }
  
  return { content: [{ type: 'text', text: chunks.join('') }] };
});

// Bad - Load everything into memory
server.registerTool('fetch_large_data', { ... }, async ({ id }) => {
  const allData = await fetchAllData(id);  // Could be gigabytes
  return { content: [{ type: 'text', text: allData }] };
});

// Good
"args": ["${extensionPath}${/}dist${/}server.js"]

// Bad
"args": ["${extensionPath}/dist/server.js"]

{
  "engines": {
    "node": ">=20.0.0"
  }
}