feat(api): add scan security verification endpoint and non-suspicious filters

[VACInc]

Summary

Adds API support for skill security scan verification and aligns API filtering with website behavior for hiding suspicious skills.

What Changed

• Added GET /api/v1/skills/{slug}/scan for normalized security scan verification details.
• Added merged VT + LLM security snapshot output for version and scan responses.
• Added nonSuspiciousOnly support to:
  • GET /api/v1/search
  • GET /api/v1/skills
• Added legacy /api/search boolean alias parity (true and 1).
• Refactored boolean query parsing into shared convex/lib/httpUtils.ts to remove duplication.
• Fixed trending list behavior for nonSuspiciousOnly=true to backfill clean entries before enforcing the final limit.
• Added/updated regression tests for shared boolean parsing and trending non-suspicious backfill behavior.
• Updated API docs and OpenAPI for the new endpoint, fields, and query params.

Validation

• bun run lint ✅
• bun run test ✅
• bun run test:e2e ✅

Files

• convex/httpApiV1/skillsV1.ts
• convex/skills.ts
• convex/httpApi.ts
• convex/lib/httpUtils.ts
• convex/lib/httpUtils.test.ts
• convex/httpApiV1.handlers.test.ts
• convex/httpApi.handlers.test.ts
• convex/skills.listPublicPage.test.ts
• docs/http-api.md
• docs/api.md
• public/api/v1/openapi.json

Relates #189

[vercel]

Someone is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

Added comprehensive security scan verification API endpoint (/api/v1/skills/{slug}/scan) and filtering capabilities across search and list endpoints. The implementation merges VirusTotal and LLM security analysis into a normalized security snapshot with proper status prioritization (malicious > suspicious > pending > error > clean). Added support for nonSuspiciousOnly query parameter to filter out suspicious skills, aligning API behavior with website filtering. Includes backward-compatible nonSuspicious alias for legacy clients.

• Added buildSkillSecuritySnapshot helper that normalizes and merges VT + LLM scan results
• Enhanced security response format in version details with scanner-specific breakdown
• Extended search and list endpoints with nonSuspiciousOnly filtering
• Added comprehensive test coverage for new functionality
• Updated documentation and OpenAPI spec

Confidence Score: 5/5

• Safe to merge with minimal risk
• Well-tested feature addition with comprehensive test coverage (189 new test lines), proper error handling, backward compatibility via parameter aliases, and correctly merged security analysis logic. The only minor issue is code duplication of a small utility function.
• No files require special attention

_{Last reviewed commit: b46cb29}

[greptile-apps]

_{9 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b46cb2938e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 44e694c974

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".