@botdocs/cli 0.12.2 → 0.14.0

package/dist/commands/edit.js

@@ -5,6 +5,8 @@ import * as p from '@clack/prompts';
 import { ApiError, apiFetch, fetchRawContent, friendlyApiErrorDetail } from '../lib/api.js';
 import { complete, detectProvider, LlmError } from '../lib/llm.js';
 import { renderDiff } from '../lib/diff.js';
+import { loadAuth } from '../lib/config.js';
+import { fileSetHash } from '../lib/proposals.js';
 const TEMPLATES_DIR = path.join(path.dirname(fileURLToPath(import.meta.url)), '..', '..', 'templates', 'ecosystem-prompts');
 function loadEditPrompt() {
     return fs.readFileSync(path.join(TEMPLATES_DIR, 'edit.md'), 'utf-8');
@@ -16,6 +18,17 @@ function parseRef(raw) {
         throw new Error(`Invalid ref: ${raw}`);
     return { username: parts[0], slug: parts[1] };
 }
+/** True when the logged-in user owns this skill. A skill ref's username IS the
+ * author's username (the registry resolves `@user/slug` by the author's
+ * handle), so ownership is a case-insensitive username match. Drives the
+ * branch between the author's lower-friction draft loop and the cross-author
+ * proposal lane. */
+function isOwnSkill(username) {
+    const me = loadAuth()?.username;
+    if (!me)
+        return false;
+    return me.toLowerCase() === username.toLowerCase();
+}
 function fileForEcosystem(files, eco) {
     if (eco === 'claude')
         return files.find((f) => f.filename === 'claude/SKILL.md');
@@ -113,11 +126,62 @@ export async function edit(rawRef, options) {
             break;
         // else regenerate — loop
     }
-    await apiFetch(`/api/skills/${ref.username}/${ref.slug}/draft`, {
-        method: 'POST',
-        auth: true,
-        body: { ecosystem: options.ecosystem, content: revised },
-    });
-    console.log(`\n  ✓ Pushed draft for ${rawRef} (${options.ecosystem}).`);
-    console.log(`    Visit https://botdocs.ai/@${ref.username}/${ref.slug} to publish.\n`);
+    // Ownership branch (design §7): the author's own skill keeps the
+    // lower-friction draft→publish loop; a skill owned by someone else routes
+    // through the proposal lane so the change lands in the author's review queue
+    // instead of clobbering their live files.
+    if (isOwnSkill(ref.username)) {
+        await apiFetch(`/api/skills/${ref.username}/${ref.slug}/draft`, {
+            method: 'POST',
+            auth: true,
+            body: { ecosystem: options.ecosystem, content: revised },
+        });
+        console.log(`\n  ✓ Pushed draft for ${rawRef} (${options.ecosystem}).`);
+        console.log(`    Visit https://botdocs.ai/@${ref.username}/${ref.slug} to publish.\n`);
+        return;
+    }
+    await proposeEdit(ref, manifest, target.filename, currentContent, revised);
+}
+/**
+ * Queue an edited file as a proposal for the skill's author to review.
+ *
+ * A proposal replaces the skill's ENTIRE file set, so we fetch every live file
+ * and swap in the revised content for the one ecosystem file we edited. The
+ * `basedFileHash` is computed over the UNMODIFIED live set — it's the drift
+ * anchor the author's accept is checked against.
+ */
+async function proposeEdit(ref, manifest, targetFilename, targetCurrentContent, revised) {
+    // Build the live file set (filename + content). We already have the edited
+    // file's current content; fetch the rest.
+    const liveFiles = await Promise.all(manifest.files.map(async (f) => ({
+        filename: f.filename,
+        content: f.filename === targetFilename ? targetCurrentContent : await fetchRawContent(f.rawUrl),
+    })));
+    const basedFileHash = fileSetHash(liveFiles);
+    // The proposed set is the live set with the edited file's content replaced.
+    const proposedFiles = liveFiles.map((f, i) => ({
+        filename: f.filename,
+        content: f.filename === targetFilename ? revised : f.content,
+        sortOrder: i,
+    }));
+    try {
+        await apiFetch(`/api/skills/${ref.username}/${ref.slug}/proposals`, {
+            method: 'POST',
+            auth: true,
+            body: {
+                files: proposedFiles,
+                agentLabel: 'cli-edit',
+                basedFileHash,
+            },
+        });
+    }
+    catch (err) {
+        if (err instanceof ApiError) {
+            console.error(`\n  ✗ @${ref.username}/${ref.slug}: ${friendlyApiErrorDetail(err, `@${ref.username}/${ref.slug}`)}\n`);
+            process.exit(1);
+        }
+        throw err;
+    }
+    console.log(`\n  ✓ Proposal queued for @${ref.username}/${ref.slug} (${targetFilename}).`);
+    console.log('    The skill author will review it before it goes live.\n');
 }

package/dist/commands/ingest.js

@@ -4,7 +4,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { render } from 'ink';
 import open from 'open';
-import { ApiError, apiFetch, getApiUrl } from '../lib/api.js';
+import { ApiError, apiFetch, getApiUrl, friendlyFreeTierError } from '../lib/api.js';
 import { loadAuth } from '../lib/config.js';
 import { IngestSessionClient, PairingClaimError } from '../lib/ingest-session-client.js';
 import { discoverSkills, ecosystemLabel, formatBytes, STUB_BYTE_THRESHOLD, summaryKey, titleFromContent, } from '../lib/ingest-discover.js';
@@ -643,6 +643,29 @@ function reportSizeCap(err, options) {
     console.error(`\n  ✗ ${detailMessage ?? err.message}\n`);
     process.exit(1);
 }
+/** Print an actionable 403 skill-cap message and exit non-zero. Honors
+ * `--json` by emitting `{ ok: false, status: 403, error, limit, current }` so
+ * scripts can branch on the cap. The human line comes from the shared
+ * `friendlyFreeTierError` mapper so the copy stays identical to publish/install
+ * (honest free-limit wording, no fake checkout). */
+function reportSkillCap(err, options) {
+    const body = err.body;
+    if (options.json) {
+        console.log(JSON.stringify({
+            ok: false,
+            status: 403,
+            error: 'skill_cap_exceeded',
+            limit: body?.limit ?? null,
+            current: body?.current ?? null,
+        }));
+        process.exit(1);
+    }
+    // friendlyFreeTierError returns the honest cap CTA for this code; fall back
+    // to the raw server message only in the (impossible) null case so we never
+    // print an empty line.
+    console.error(`\n  ✗ ${friendlyFreeTierError(err) ?? err.message}\n`);
+    process.exit(1);
+}
 async function uploadSkills(skills, options, pair) {
     // Optional: announce intent before the API call so the paired web UI
     // shows "uploading…" rows immediately. The events POST is batched
@@ -686,6 +709,14 @@ async function uploadSkills(skills, options, pair) {
             if (conflicts)
                 reportConflicts(conflicts, options);
         }
+        // 403 skill_cap_exceeded — the whole batch was rejected because it would
+        // push the account over the free per-account skill limit. Surface the
+        // honest cap CTA (no fake checkout) and exit non-zero.
+        if (err instanceof ApiError &&
+            err.status === 403 &&
+            err.body?.error === 'skill_cap_exceeded') {
+            reportSkillCap(err, options);
+        }
         // 413 PAYLOAD_TOO_LARGE — server's `validateSkillCaps` rejected one of
         // the skills in the payload. The body's `detail.message` is the human
         // line ("file foo/bar.md is 71 KB, cap is 64 KB per file"); fall back

package/dist/commands/login.js

@@ -3,8 +3,8 @@ import { randomBytes } from 'node:crypto';
 import open from 'open';
 import { render } from 'ink';
 import * as p from '@clack/prompts';
-import { saveAuth } from '../lib/config.js';
-import { getApiUrl } from '../lib/api.js';
+import { saveAuth, getOrCreateDeviceId } from '../lib/config.js';
+import { ApiError, getApiUrl, friendlyFreeTierError } from '../lib/api.js';
 import { LoginApp } from './views/login-app.js';
 /** Total wall-clock budget for the polling loop. After this we tell the user
  * the request expired and exit 1. Mirrors the server-side state TTL. */
@@ -51,7 +51,22 @@ async function loginWithToken(token, syncLibrary) {
         process.exit(1);
     }
     if (!res.ok) {
-        console.error(`Token validation failed (${res.status}). Try again later.`);
+        // Surface the standard free-tier frictions with an HONEST CTA when the
+        // server gates this device on the way in:
+        //   - 403 device_cap_exceeded  → "you've reached N devices…"
+        //   - 429 session_limit_exceeded → "N active sessions already…"
+        // The shared mapper reads the JSON body's `error`/`limit` fields and
+        // returns null for anything it doesn't recognize, in which case we fall
+        // back to the generic "validation failed" line. Parsing is best-effort:
+        // a non-JSON body just falls through to the generic message.
+        const body = (await res.json().catch(() => undefined));
+        const friendly = friendlyFreeTierError(new ApiError(res.status, '', body));
+        if (friendly) {
+            console.error(friendly);
+        }
+        else {
+            console.error(`Token validation failed (${res.status}). Try again later.`);
+        }
         process.exit(1);
     }
     const user = (await res.json());
@@ -61,6 +76,10 @@ async function loginWithToken(token, syncLibrary) {
         displayName: user.displayName,
         syncLibrary,
     });
+    // Generate + persist the stable device identity now, so the very next
+    // authenticated request carries an X-Device-Id (no-op when BOTDOCS_DEVICE_ID
+    // is set — that override always wins and isn't persisted).
+    getOrCreateDeviceId();
     printSignedIn(user.username, syncLibrary);
 }
 /** Helper: register a new state with the server and return the public auth
@@ -183,6 +202,7 @@ async function loginInkInteractive(syncLibrary) {
             displayName: granted.displayName,
             syncLibrary,
         });
+        getOrCreateDeviceId();
         resolvedUsername = granted.username;
         status = 'success';
         rerender();
@@ -231,6 +251,7 @@ async function loginPlainInteractive(syncLibrary) {
         displayName: granted.displayName,
         syncLibrary,
     });
+    getOrCreateDeviceId();
     printSyncLibraryHint(syncLibrary);
 }
 /** Polls the server with exponential backoff. Returns the granted payload on

package/dist/commands/proposals.d.ts

@@ -0,0 +1,69 @@
+import { Command } from 'commander';
+interface ProposalsListOptions {
+    /** Filter by status: OPEN (default) | ACCEPTED | REJECTED | all. */
+    status?: string;
+    json?: boolean;
+}
+interface AcceptOptions {
+    /** The proposal id to accept. Required. */
+    id?: string;
+    json?: boolean;
+}
+interface SynthesizeOptions {
+    /** Changelog describing the merge, shown to the reviewing author. */
+    message?: string;
+    /** Self-reported agent identity (e.g. "nightly-synth"). UNTRUSTED server-side. */
+    agentLabel?: string;
+    /** Skip the interactive confirm (for cron / non-interactive use). */
+    yes?: boolean;
+    /** Env var holding the LLM key (passed through to `complete`). */
+    keyEnv?: string;
+    json?: boolean;
+}
+/**
+ * `botdocs proposals @user/slug [--status OPEN|ACCEPTED|REJECTED|all]` — list
+ * the proposals queued against a skill as a table (or `--json`).
+ *
+ * Authors see full metadata; non-author readers see the redacted status view
+ * (Q5: visibility without the ability to accept/reject).
+ */
+export declare function proposals(rawRef: string, options: ProposalsListOptions): Promise<void>;
+/**
+ * `botdocs proposals accept @user/slug --id X` — accept a proposal, publishing
+ * it as a new version. Author-only (the server 403s non-authors).
+ *
+ * Fetches the current version first so we can send `basedOnCurrentVersion` —
+ * the optimistic-concurrency anchor. If the skill moved since (a 409
+ * stale-base), we tell the user to re-review rather than silently clobbering.
+ */
+export declare function proposalsAccept(rawRef: string, options: AcceptOptions): Promise<void>;
+/**
+ * `botdocs proposals synthesize @user/slug` — merge a skill's OPEN proposals
+ * into ONE synthesis proposal for the author to review.
+ *
+ * Runs with a SYNTHESIZER token (a low-privilege principal the author minted,
+ * scoped to this skill). The synthesizer can ONLY read the skill's proposals
+ * and create a synthesis — it can never accept, publish, or edit. The author
+ * still reviews and approves the merge through the normal accept path.
+ *
+ * Steps:
+ *   1. List OPEN proposals (permitted for a scoped synthesizer).
+ *   2. Fetch each OPEN proposal's full contents + the skill's live file set
+ *      (the DETAIL endpoint returns both `files` and `currentFiles`).
+ *   3. Merge the live set + the N proposed sets into one file set via the LLM.
+ *   4. Preview the merge (live vs merged) and confirm unless `--yes`.
+ *   5. POST the synthesis with basedFileHash = fileSetHash(live files).
+ *
+ * A 409 `duplicate_synthesis` is treated as a NO-OP SUCCESS (exit 0): the same
+ * merge already exists OPEN, so an end-of-day cron re-running this is safe.
+ */
+export declare function proposalsSynthesize(rawRef: string, options: SynthesizeOptions): Promise<void>;
+/**
+ * Register the `proposals` command (list, default) and its `accept`
+ * subcommand on the program. Done in a registrar helper (like `team`/`backups`)
+ * so the nested `accept` subcommand lives in this file rather than inline in
+ * index.ts — keeping index.ts's top-level surface clean and the quickstart
+ * drift-check parser happy (it lists only the parent verb `proposals`).
+ */
+export declare function registerProposalsCommands(program: Command): void;
+export {};