@botdocs/cli 0.12.1 → 0.12.2

package/dist/commands/edit.js

@@ -44,7 +44,9 @@ export async function edit(rawRef, options) {
     let manifest;
     const refStr = `@${ref.username}/${ref.slug}`;
     try {
-        manifest = await apiFetch(`/api/skills/${ref.username}/${ref.slug}/manifest`);
+        manifest = await apiFetch(`/api/skills/${ref.username}/${ref.slug}/manifest`, {
+            auth: 'optional',
+        });
     }
     catch (err) {
         if (err instanceof ApiError && err.status === 404) {

package/dist/commands/install.js

@@ -382,51 +382,6 @@ function isInstallUpToDate(prior, manifest) {
     }
     return true;
 }
-/** Compute the Levenshtein edit distance between two short strings. Used by
- * the "did you mean?" suggester to filter search hits that are too far from
- * the user's typo to be useful. Implementation is the textbook two-row DP —
- * O(n*m) time, O(min(n,m)) space. Both inputs are slug-sized (≤ ~64 chars),
- * so the constant factor doesn't matter. */
-function levenshtein(a, b) {
-    if (a === b)
-        return 0;
-    if (a.length === 0)
-        return b.length;
-    if (b.length === 0)
-        return a.length;
-    let prev = new Array(b.length + 1);
-    let curr = new Array(b.length + 1);
-    for (let j = 0; j <= b.length; j++)
-        prev[j] = j;
-    for (let i = 1; i <= a.length; i++) {
-        curr[0] = i;
-        for (let j = 1; j <= b.length; j++) {
-            const cost = a.charCodeAt(i - 1) === b.charCodeAt(j - 1) ? 0 : 1;
-            curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
-        }
-        [prev, curr] = [curr, prev];
-    }
-    return prev[b.length];
-}
-/** On a 404, query the search endpoint for the user's slug fragment and
- * return the top result as a `@user/slug` string when its slug is within
- * Levenshtein distance 2 of the requested slug. Returns null when the
- * search returns no results, when the top result is too far, or when
- * `requestedRef` already equals the top match (defensive). Never throws —
- * callers wrap in catch and treat any failure as "no suggestion". */
-async function suggestClosestRef(requestedSlug, requestedRef) {
-    const encoded = encodeURIComponent(requestedSlug);
-    const resp = await apiFetch(`/api/search?q=${encoded}`);
-    const top = resp.results[0];
-    if (!top)
-        return null;
-    if (levenshtein(top.slug.toLowerCase(), requestedSlug.toLowerCase()) > 2)
-        return null;
-    const candidate = `@${top.author}/${top.slug}`;
-    if (candidate === requestedRef)
-        return null;
-    return candidate;
-}
 export async function install(rawRef, options) {
     let ref;
     try {
@@ -465,19 +420,15 @@ export async function install(rawRef, options) {
     }
     let manifest;
     try {
-        manifest = await apiFetch(`/api/skills/${ref.username}/${ref.slug}/manifest`);
+        manifest = await apiFetch(`/api/skills/${ref.username}/${ref.slug}/manifest`, { auth: 'optional' });
     }
     catch (err) {
         if (err instanceof ApiError && err.status === 404) {
-            // 404 dead-ends are common when users mistype a slug. Ask the search
-            // endpoint for the slug-fragment and surface the top close match
-            // (Levenshtein distance ≤ 2) so the user can quickly correct.
-            // Network errors from the suggestion lookup are swallowed — the 404
-            // itself is the primary signal and we shouldn't gate it on the
-            // suggestion call succeeding.
-            const suggestion = await suggestClosestRef(ref.slug, refStr).catch(() => null);
-            const suffix = suggestion ? `\n    Did you mean: ${suggestion}?\n` : '\n';
-            console.error(`\n  ✗ Skill or bundle not found: ${refStr}${suffix}`);
+            // A 404 here also covers "PRIVATE skill you can't read" — the server
+            // returns 404 (never 403) for private-no-access so existence never
+            // leaks. We don't try to suggest a close match: the discovery/search
+            // surface was removed (private-by-default), so there's nothing to query.
+            console.error(`\n  ✗ Skill or bundle not found: ${refStr}\n`);
             process.exit(1);
         }
         // 410 Gone = author soft-deleted the skill upstream. Distinct from 404

package/dist/commands/sync.js

@@ -269,7 +269,7 @@ async function installTeamSkill(teamSlug, skill, options, silent) {
     // version locking.)
     let manifest;
     try {
-        manifest = await apiFetch(`/api/skills/${skill.username}/${skill.slug}/manifest`);
+        manifest = await apiFetch(`/api/skills/${skill.username}/${skill.slug}/manifest`, { auth: 'optional' });
     }
     catch (err) {
         if (err instanceof ApiError) {
@@ -376,7 +376,7 @@ async function runSyncCore(rawRef, targets, options, deps) {
         const { username, slug } = refToPath(entry.ref);
         let manifest;
         try {
-            manifest = await apiFetch(`/api/skills/${username}/${slug}/manifest`);
+            manifest = await apiFetch(`/api/skills/${username}/${slug}/manifest`, { auth: 'optional' });
         }
         catch (err) {
             if (err instanceof ApiError) {

package/dist/commands/team.js

@@ -237,7 +237,7 @@ export function registerTeamCommands(program) {
     });
     team
         .command('push <slug> <ref>')
-        .description('Pin a published skill to a team (WRITE+ only)')
+        .description('Pin one of your own published skills to a team (WRITE+ only; you can only pin skills you own)')
         .option('--version <v>', 'Pin to a specific version (omit to float to latest)')
         .action(async (slug, ref, opts) => {
         await teamPush(slug, ref, { ...opts, json: program.opts().json });

package/dist/index.js

@@ -110,7 +110,6 @@ function genericFriendlyMessage(reason) {
 }
 import { Command } from 'commander';
 import { checkAuthFilePerms } from './lib/config.js';
-import { search } from './commands/search.js';
 import { publish } from './commands/publish.js';
 import { unpublish } from './commands/unpublish.js';
 import { delete_ as deleteCmd } from './commands/delete.js';
@@ -179,12 +178,6 @@ program
     .action(async (source) => {
     await validate(source, { json: program.opts().json });
 });
-program
-    .command('search <query>')
-    .description('Search for BotDocs')
-    .action(async (query) => {
-    await search(query, { json: program.opts().json });
-});
 program
     .command('publish <source>')
     .description('Publish a BotDoc — pass a local path to upload, or @user/slug to mark an existing draft live')

package/dist/lib/api.d.ts

@@ -40,7 +40,14 @@ export declare class WaitlistError extends ApiError {
 interface FetchOptions {
     method?: string;
     body?: unknown;
-    auth?: boolean;
+    /** Authorization behavior:
+     * - `false` (default): never attach a bearer token.
+     * - `true`: REQUIRE a saved token — throw `ApiError(401)` when absent.
+     * - `'optional'`: attach the bearer IF a token is saved, but don't throw
+     *   when it's missing. Used by read paths (manifest/versions) that gate on
+     *   the server side: a signed-in user reaches their PRIVATE skills, while an
+     *   anonymous caller still fetches PUBLIC/bootstrap skills tokenlessly. */
+    auth?: boolean | 'optional';
     /** Per-call override of the default request timeout (ms). When the timer
      * fires we abort the underlying fetch and throw an ApiError(0, "timed out…").
      * Defaults to {@link DEFAULT_TIMEOUT_MS}. Set higher for known-slow paths
@@ -71,6 +78,14 @@ export declare function apiFetch<T>(path: string, options?: FetchOptions): Promi
  * network failures and timeouts both surface as `ApiError(0, …)` so the
  * callers don't need to special-case fetchRawContent vs apiFetch in
  * their `instanceof ApiError` catch arms.
+ *
+ * Attaches `Authorization: Bearer <token>` when one is saved so a signed-in
+ * user can read the raw bytes of their PRIVATE skills (the server gates
+ * `/api/raw` on the same predicate as the manifest). PUBLIC and platform
+ * bootstrap skills still resolve with no token, so first-run fetches (e.g.
+ * `@botdocs/cli-quickstart`) keep working unauthenticated. The TLS guard in
+ * getApiUrl() refuses to emit the bearer over plaintext to a non-loopback
+ * host — see {@link getApiUrl}.
  */
 export declare function fetchRawContent(rawUrl: string, options?: {
     timeoutMs?: number;

package/dist/lib/api.js

@@ -131,12 +131,24 @@ export async function apiFetch(path, options = {}) {
     if (auth) {
         const config = loadAuth();
         if (!config?.token) {
-            // Shape this as an ApiError(401) so callers that already branch on auth
-            // failures (e.g. sync's optional team-skill path) handle it uniformly
-            // without a separate "no token saved" code path.
-            throw new ApiError(401, 'Not authenticated. Run `botdocs login` first.');
+            // `auth: 'optional'` means "attach the bearer if we have one, otherwise
+            // proceed anonymously" — the server gates the read. Only the strict
+            // `auth: true` path throws when no token is saved. Shape that as an
+            // ApiError(401) so callers that already branch on auth failures (e.g.
+            // sync's optional team-skill path) handle it uniformly without a
+            // separate "no token saved" code path.
+            if (auth === 'optional') {
+                // No token — fall through and send the request without Authorization.
+                // The TLS guard in getApiUrl() above already ran, so the (absent)
+                // bearer can't leak over plaintext regardless.
+            }
+            else {
+                throw new ApiError(401, 'Not authenticated. Run `botdocs login` first.');
+            }
+        }
+        else {
+            headers['Authorization'] = `Bearer ${config.token}`;
         }
-        headers['Authorization'] = `Bearer ${config.token}`;
     }
     // AbortController + setTimeout is the lowest-overhead way to enforce a hard
     // per-request deadline on Node's fetch — there's no built-in `timeout`
@@ -216,18 +228,31 @@ export async function apiFetch(path, options = {}) {
  * network failures and timeouts both surface as `ApiError(0, …)` so the
  * callers don't need to special-case fetchRawContent vs apiFetch in
  * their `instanceof ApiError` catch arms.
+ *
+ * Attaches `Authorization: Bearer <token>` when one is saved so a signed-in
+ * user can read the raw bytes of their PRIVATE skills (the server gates
+ * `/api/raw` on the same predicate as the manifest). PUBLIC and platform
+ * bootstrap skills still resolve with no token, so first-run fetches (e.g.
+ * `@botdocs/cli-quickstart`) keep working unauthenticated. The TLS guard in
+ * getApiUrl() refuses to emit the bearer over plaintext to a non-loopback
+ * host — see {@link getApiUrl}.
  */
 export async function fetchRawContent(rawUrl, options = {}) {
     const { timeoutMs = DEFAULT_TIMEOUT_MS } = options;
     const baseUrl = getApiUrl();
     const url = rawUrl.startsWith('http') ? rawUrl : `${baseUrl}${rawUrl}`;
+    const headers = {};
+    const config = loadAuth();
+    if (config?.token) {
+        headers['Authorization'] = `Bearer ${config.token}`;
+    }
     // Same pattern as apiFetch — AbortController + clearTimeout in finally so
     // the timer never outlives the request and blocks process exit.
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
     let response;
     try {
-        response = await fetch(url, { signal: controller.signal });
+        response = await fetch(url, { headers, signal: controller.signal });
     }
     catch (err) {
         if (isAbortError(err)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botdocs/cli",
-  "version": "0.12.1",
+  "version": "0.12.2",
   "description": "CLI for BotDocs — author, publish, install, and sync agent skills across Claude, Claude Code, Cursor, Codex, ChatGPT, Windsurf, Copilot, Gemini, Antigravity, and OpenCode.",
   "keywords": [
     "botdocs",

package/dist/commands/search.d.ts

@@ -1,3 +0,0 @@
-export declare function search(query: string, options?: {
-    json?: boolean;
-}): Promise<void>;

package/dist/commands/search.js

@@ -1,58 +0,0 @@
-import { apiFetch } from '../lib/api.js';
-export async function search(query, options = {}) {
-    if (!query.trim()) {
-        console.error('Please provide a search query.');
-        process.exit(1);
-    }
-    const encoded = encodeURIComponent(query);
-    const data = await apiFetch(`/api/search?q=${encoded}`);
-    if (options.json) {
-        console.log(JSON.stringify(data, null, 2));
-        return;
-    }
-    if (data.results.length === 0) {
-        console.log(`No results for "${query}".`);
-        return;
-    }
-    console.log(`${data.total} result(s) for "${query}":\n`);
-    // Print formatted table
-    const maxTitle = Math.min(40, Math.max(...data.results.map((r) => r.title.length)));
-    const maxAuthor = Math.max(...data.results.map((r) => r.author.length));
-    const header = [
-        'Title'.padEnd(maxTitle),
-        'Author'.padEnd(maxAuthor),
-        'Stars'.padStart(5),
-        'Clones'.padStart(6),
-        'Category',
-    ].join('  ');
-    const separator = '-'.repeat(header.length);
-    console.log(header);
-    console.log(separator);
-    for (const result of data.results) {
-        const title = result.title.length > maxTitle
-            ? result.title.slice(0, maxTitle - 1) + '…'
-            : result.title.padEnd(maxTitle);
-        const row = [
-            title,
-            result.author.padEnd(maxAuthor),
-            String(result.starCount).padStart(5),
-            String(result.cloneCount).padStart(6),
-            formatCategory(result.category),
-        ].join('  ');
-        console.log(row);
-    }
-    if (data.totalPages > 1) {
-        console.log(`\nPage ${data.page}/${data.totalPages}`);
-    }
-}
-function formatCategory(category) {
-    const labels = {
-        KNOWLEDGE_MANAGEMENT: 'Knowledge',
-        DEV_WORKFLOW: 'Dev Workflow',
-        AUTOMATION: 'Automation',
-        AGENT_CONFIG: 'Agent Config',
-        PROJECT_SCAFFOLD: 'Scaffold',
-        OTHER: 'Other',
-    };
-    return labels[category] ?? category;
-}