@bitpub/cli 2.0.0 → 2.0.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitpub/cli",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "BitPub CLI — local-first shared memory for AI agents. Six daily verbs (save/load/list/find/sync/delete), zero-config private namespace, encrypted client-side.",
   "bin": {
     "bitpub": "./bin/bitpub.js"

package/src/commands/update.js

@@ -1,103 +1,102 @@
 'use strict';
 
 /**
- * `bitpub update` — pull the latest CLI tarball from your tenant and
+ * `bitpub update` — pull the latest CLI from the npm registry and
  * reinstall globally.
  *
- * Resolution order for the tenant URL (first match wins):
- *   1. --url flag
- *   2. BITPUB_CLOUD_URL env var
- *   3. api_url from ~/.bitpub/config.json (set by `bitpub init` / `auth login`)
- *   4. https://bitpub.io
+ * Source of truth is the public npm package at
+ *   https://www.npmjs.com/package/@bitpub/cli
+ * which is published from cli/package.json. We read the latest version
+ * via the registry API (https://registry.npmjs.org/@bitpub/cli/latest)
+ * and then delegate the actual install to `npm install -g @bitpub/cli@<version>`.
  *
- * The tarball lives at `${url}/cli/latest.tgz` — same path the one-liner
- * installer uses. We download to a temp file, peek at its package.json
- * for a version diff, then run `npm install -g <tarball>`.
+ * Anyone with the CLI on PATH can also self-update without this command —
+ * `npm install -g @bitpub/cli@latest` is equivalent. `bitpub update` exists
+ * to add (1) a one-line version diff before installing, (2) automatic
+ * refresh of installed skill files after the install, and (3) a `--check`
+ * mode for CI / agent flows that want to know "is there a newer version"
+ * without actually upgrading.
+ *
+ * `--registry <url>` overrides the registry, for teams publishing to a
+ * private npm registry (Verdaccio, GitHub Packages, AWS CodeArtifact, etc.).
  */
 
-const path = require('path');
-const fs = require('fs');
-const os = require('os');
 const { spawnSync } = require('child_process');
 const axios = require('axios');
-const { readConfig } = require('../config');
 const { refreshExistingSkills } = require('./skills');
 
+const PACKAGE_NAME = '@bitpub/cli';
+const DEFAULT_REGISTRY = 'https://registry.npmjs.org';
+const NPM_WEB_URL = `https://www.npmjs.com/package/${PACKAGE_NAME}`;
+
 module.exports = function registerUpdate(program) {
   program
     .command('update')
-    .description('Update the BitPub CLI (and any installed skill files) to the latest tarball published by your tenant')
-    .option('--url <string>', 'Override the tenant URL to fetch the tarball from')
+    .description('Update the BitPub CLI (and any installed skill files) to the latest version on npm')
+    .option('--registry <url>', 'Override the npm registry (for private npm mirrors)')
     .option('--check', 'Only check the remote version; do not install')
     .option('--skip-skills', 'Do not refresh installed skill files after the update')
     .action(async (opts) => {
-      const config = readConfig();
-      const cloudUrl = (
-        opts.url ||
-        process.env.BITPUB_CLOUD_URL ||
-        config?.api_url ||
-        'https://bitpub.io'
-      ).replace(/\/$/, '');
-
-      const tarballUrl = `${cloudUrl}/cli/latest.tgz`;
+      const registry = (opts.registry || DEFAULT_REGISTRY).replace(/\/$/, '');
+      const versionUrl = `${registry}/${encodeURIComponent(PACKAGE_NAME)}/latest`;
       const localVersion = require('../../package.json').version;
 
       console.log(`Current : v${localVersion}`);
-      console.log(`Tarball : ${tarballUrl}`);
-
-      const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'bitpub-update-'));
-      const tarballPath = path.join(tmpDir, 'bitpub-cli.tgz');
+      console.log(`Source  : ${NPM_WEB_URL}`);
+      if (opts.registry) console.log(`Registry: ${registry}`);
 
+      let remoteVersion;
       try {
-        const resp = await axios.get(tarballUrl, {
-          responseType: 'arraybuffer',
-          timeout: 30_000,
-          maxRedirects: 5,
+        const resp = await axios.get(versionUrl, {
+          timeout: 15_000,
           validateStatus: (s) => s === 200,
+          headers: { accept: 'application/json' },
         });
-        fs.writeFileSync(tarballPath, Buffer.from(resp.data));
+        remoteVersion = resp.data?.version;
       } catch (err) {
-        cleanup(tmpDir);
         const status = err.response?.status;
-        if (status) {
-          console.error(`\n✗ Failed to download tarball: HTTP ${status} from ${tarballUrl}`);
-          if (status === 404) {
-            console.error('  This tenant does not appear to publish a CLI tarball.');
-            console.error('  Try --url https://bitpub.io for the public tenant.');
-          }
+        if (status === 404) {
+          console.error(`\n✗ ${PACKAGE_NAME} not found on ${registry}.`);
+          console.error('  If you publish to a private registry, pass --registry <url>.');
+        } else if (status) {
+          console.error(`\n✗ Registry query failed: HTTP ${status} from ${versionUrl}`);
         } else {
-          console.error(`\n✗ Failed to download tarball: ${err.message}`);
+          console.error(`\n✗ Registry query failed: ${err.message}`);
         }
         process.exit(1);
       }
 
-      const remoteVersion = readVersionFromTarball(tarballPath) || 'unknown';
+      if (!remoteVersion) {
+        console.error(`\n✗ Registry response did not include a version. URL: ${versionUrl}`);
+        process.exit(1);
+      }
+
       console.log(`Remote  : v${remoteVersion}`);
 
       if (opts.check) {
-        cleanup(tmpDir);
         if (remoteVersion === localVersion) {
           console.log('\n✓ Already up to date.');
         } else {
-          console.log('\nRun `bitpub update` to install v' + remoteVersion + '.');
+          console.log(`\nRun \`bitpub update\` to install v${remoteVersion}.`);
         }
         return;
       }
 
       if (remoteVersion === localVersion) {
-        console.log('\nAlready on v' + localVersion + ' — reinstalling anyway to refresh files.');
+        console.log(`\nAlready on v${localVersion} — reinstalling anyway to refresh files.`);
       }
 
-      console.log('\nInstalling globally with npm...');
-      const result = spawnSync('npm', ['install', '-g', tarballPath], {
-        stdio: 'inherit',
-      });
+      const installSpec = `${PACKAGE_NAME}@${remoteVersion}`;
+      const npmArgs = ['install', '-g', installSpec];
+      if (opts.registry) npmArgs.push('--registry', registry);
 
-      cleanup(tmpDir);
+      console.log(`\nInstalling: npm ${npmArgs.join(' ')}`);
+      const result = spawnSync('npm', npmArgs, { stdio: 'inherit' });
 
       if (result.status !== 0) {
         console.error('\n✗ npm install -g failed.');
         console.error('  Try running the command with sudo, or set npm prefix to a writable dir.');
+        console.error(`  Or manually: npm install -g ${installSpec}`);
         process.exit(result.status || 1);
       }
 
@@ -112,7 +111,7 @@ module.exports = function registerUpdate(program) {
         return;
       }
       if (updates.length === 0) {
-        console.log('  (no skill installs found — run `bitpub skills install` to set them up)');
+        console.log('  (no skill installs found — run `bitpub setup skill install` to set them up)');
         return;
       }
       for (const u of updates) {
@@ -127,29 +126,3 @@ module.exports = function registerUpdate(program) {
       }
     });
 };
-
-function cleanup(tmpDir) {
-  try {
-    fs.rmSync(tmpDir, { recursive: true, force: true });
-  } catch {
-    // best-effort
-  }
-}
-
-/**
- * Peek at `package/package.json` inside an npm tarball using the system
- * `tar`. Both BSD tar (macOS default) and GNU tar (Linux) support
- * `-xzOf <file> <member>` to extract a single entry to stdout. Returns
- * null on any error; callers treat that as "version unknown" and proceed.
- */
-function readVersionFromTarball(tarballPath) {
-  const out = spawnSync('tar', ['-xzOf', tarballPath, 'package/package.json'], {
-    encoding: 'utf-8',
-  });
-  if (out.status !== 0 || !out.stdout) return null;
-  try {
-    return JSON.parse(out.stdout).version || null;
-  } catch {
-    return null;
-  }
-}