npm - @anytio/pspm - Versions diffs - 0.5.1 → 0.7.0 - Mend

@anytio/pspm 0.5.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,23 @@ All notable changes to the PSPM CLI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.7.0] - 2026-02-25
+### Changed
+- **BREAKING: `--access` is now required for `pspm publish`** — You must explicitly specify `--access public` or `--access private` when publishing. Previously, omitting `--access` would default to public (free users) or private (pro users). This prevents accidental public publishes.
+## [0.6.0] - 2026-02-17
+### Changed
+- **Auth-free read operations**: API key is no longer required for non-write operations (`add`, `install`, `update`, `list`, `link`). Only `publish`, `unpublish`, `deprecate`, `access`, and `whoami` now require authentication.
+- Made `apiKey` parameter optional in SDK configuration, eliminating `apiKey ?? ""` workaround patterns
+### Fixed
+- `update` command no longer blocks users without a PSPM API key when they only have GitHub or public packages installed
 ## [0.5.1] - 2026-02-10
 ### Changed

package/README.md CHANGED Viewed

@@ -125,13 +125,15 @@ pspm version patch --dry-run  # Preview changes without writing
 ### Publishing
 ```bash
-pspm publish                  # Publish current directory as a skill
-pspm publish --bump patch     # Auto-bump version (major, minor, patch)
-pspm publish --access public  # Publish and make public in one step
-pspm unpublish <spec> --force # Remove a published skill version
-pspm deprecate <spec> [msg]   # Mark a version as deprecated
+pspm publish --access private    # Publish as private (requires Pro)
+pspm publish --access public     # Publish as public (irreversible)
+pspm publish --access private --bump patch  # Bump version and publish
+pspm unpublish <spec> --force    # Remove a published skill version
+pspm deprecate <spec> [msg]      # Mark a version as deprecated
 ```
+**`--access` is required.** You must specify `--access public` or `--access private` every time you publish. Private skills require a Pro subscription.
 **Publish preview:** Before uploading, `pspm publish` shows a preview of included files, package size, and requires confirmation. Max package size is **10MB**.
@@ -310,3 +312,5 @@ pspm install --frozen-lockfile
 ## License
 This project is licensed under [The Artistic License 2.0](LICENSE), the same license used by npm.
+<!-- @doc-sync: 17484e41aef17ad72e470bb5511876ce0bdfcbb4 | 2026-02-20 15:00 -->

package/dist/index.js CHANGED Viewed

@@ -772,7 +772,7 @@ async function resolveRecursive(rootDeps, config2) {
   };
   configure2({
     registryUrl: config2.registryUrl,
-    apiKey: config2.apiKey ?? ""
+    apiKey: config2.apiKey
   });
   const rangesByPackage = /* @__PURE__ */ new Map();
   const queue = [];
@@ -2047,7 +2047,7 @@ async function validateRegistryPackage(specifier) {
     );
   }
   const { username, name, versionRange } = parsed;
-  configure2({ registryUrl, apiKey: apiKey ?? "" });
+  configure2({ registryUrl, apiKey });
   console.log(`Resolving ${specifier}...`);
   const versionsResponse = await listSkillVersions(username, name);
   if (versionsResponse.status !== 200) {
@@ -2843,7 +2843,7 @@ async function installFromLockfile(options) {
       }
       console.log(`Resolving ${missingDeps.length} new dependency(ies)...
 `);
-      configure2({ registryUrl, apiKey: apiKey ?? "" });
+      configure2({ registryUrl, apiKey });
       for (const { fullName, versionRange } of missingDeps) {
         const parsed = parseSkillSpecifier(fullName);
         if (!parsed) {
@@ -4144,8 +4144,9 @@ init_lockfile2();
 init_add();
 async function update(options) {
   try {
-    const apiKey = await requireApiKey();
-    const registryUrl = await getRegistryUrl();
+    const config2 = await resolveConfig();
+    const registryUrl = config2.registryUrl;
+    const apiKey = getTokenForRegistry(config2, registryUrl);
     const skills = await listLockfileSkills();
     if (skills.length === 0) {
       console.log("No skills installed.");
@@ -4380,11 +4381,19 @@ program.command("version <bump>").description("Bump package version (major, mino
     dryRun: options.dryRun
   });
 });
-program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").option("--access <level>", "Set package visibility (public or private)").action(async (options) => {
+program.command("publish").description("Publish current directory as a skill").option("--bump <level>", "Bump version (major, minor, patch)").option("--tag <tag>", "Tag for the release").requiredOption(
+  "--access <level>",
+  "Set package visibility (public or private)"
+).action(async (options) => {
+  const access3 = options.access;
+  if (access3 !== "public" && access3 !== "private") {
+    console.error('Error: --access must be "public" or "private"');
+    process.exit(1);
+  }
   await publishCommand({
     bump: options.bump,
     tag: options.tag,
-    access: options.access
+    access: access3
   });
 });
 program.command("unpublish <specifier>").description(