@prave/cli 0.4.10 → 1.0.0

package/dist/commands/conflicts.js

@@ -1,6 +1,7 @@
 import chalk from 'chalk';
 import ora from 'ora';
 import { api, ApiError } from '../lib/api.js';
+import { requireAuth } from '../lib/credentials.js';
 import { log } from '../utils/logger.js';
 function describe(c) {
     const a = c.skill_a_name ?? c.skill_a_id;
@@ -17,6 +18,9 @@ function describe(c) {
     }
 }
 export async function conflictsCommand(opts = {}) {
+    const _session = await requireAuth("prave conflicts");
+    if (!_session)
+        return;
     const spinner = ora('Detecting conflicts…').start();
     try {
         const { data: conflicts } = await api.get('/api/v1/intelligence/conflicts?refresh=true', true);

package/dist/commands/deploy.js

@@ -5,6 +5,7 @@ import chalk from 'chalk';
 import ora from 'ora';
 import { AGENT_REGISTRY } from '@prave/shared';
 import { api, ApiError } from '../lib/api.js';
+import { requireAuth } from '../lib/credentials.js';
 import { CONFIG } from '../lib/config.js';
 import { log } from '../utils/logger.js';
 function detectOsKey(detected) {
@@ -68,6 +69,9 @@ function buildDestPath(agent, basePath, os, slug) {
     };
 }
 export async function deployCommand(skillName, opts = {}) {
+    const session = await requireAuth('prave deploy');
+    if (!session)
+        return;
     const start = Date.now();
     let settings;
     try {

package/dist/commands/import.js

@@ -4,14 +4,27 @@ import chalk from 'chalk';
 import ora from 'ora';
 import { api } from '../lib/api.js';
 import { CONFIG } from '../lib/config.js';
-import { loadCredentials } from '../lib/credentials.js';
+import { loadCredentials, requireAuth } from '../lib/credentials.js';
 import { fetchMyPlan, formatUpgradeHint } from '../lib/plan.js';
 import { log } from '../utils/logger.js';
 /**
  * Scans CONFIG.skillsDir for SKILL.md files. Without --upload, only prints
  * the overview — no network call, no consent required.
  */
+/**
+ * Visibility is mandatory on uploads — no silent defaults. Users must pass
+ * either `--public` or `--private`. This avoids the embarrassment of
+ * accidentally publishing private notes to the registry.
+ */
 export async function importCommand(opts) {
+    // `prave import` (without --upload) only inspects local files and posts
+    // to /intelligence/analyze if logged in — uploads, however, must always
+    // be tracked, so we gate on auth whenever --upload is set.
+    if (opts.upload) {
+        const session = await requireAuth('prave import --upload');
+        if (!session)
+            return;
+    }
     const spinner = ora(`Scanning ${CONFIG.skillsDir}…`).start();
     let entries = [];
     try {
@@ -56,10 +69,19 @@ export async function importCommand(opts) {
         }
         return;
     }
+    // Visibility is required on every upload — no silent default.
+    if (opts.public === opts.private) {
+        log.warn('Specify visibility: --public or --private (one is required on upload).');
+        log.dim('Examples:');
+        log.dim('  prave import --upload --private    # only you can see them');
+        log.dim('  prave import --upload --public     # listed in the public registry');
+        process.exitCode = 1;
+        return;
+    }
+    const visibility = opts.private ? 'private' : 'public';
     // Plan gate: clamp the queue to the caller's import / private quota so
     // we don't waste 70 round-trips against a Free account that maxes at 10.
     const me = await fetchMyPlan();
-    const visibility = opts.private ? 'private' : 'public';
     if (visibility === 'private' && !me.limits.can_private_skills) {
         log.warn('Private imports require the Explorer plan.');
         log.dim(formatUpgradeHint('explorer'));

package/dist/commands/install.js

@@ -5,7 +5,7 @@ import chalk from 'chalk';
 import ora from 'ora';
 import { api, ApiError } from '../lib/api.js';
 import { CONFIG } from '../lib/config.js';
-import { loadCredentials } from '../lib/credentials.js';
+import { loadCredentials, requireAuth } from '../lib/credentials.js';
 import { log } from '../utils/logger.js';
 /**
  * `prave install <slug>` — pulls SKILL.md to ~/.claude/skills/<slug>/.
@@ -18,15 +18,21 @@ import { log } from '../utils/logger.js';
  *     instead of letting the API error bubble.
  */
 export async function installCommand(slug, opts = {}) {
+    // Auth gate — installs MUST be tracked, otherwise we can't bump counts,
+    // serve recommendations, or surface "updates available" later. Block here
+    // before any registry hit so the user gets a clear hint instead of a
+    // silently-untracked install.
+    const session = await requireAuth('prave install');
+    if (!session)
+        return;
     const spinner = ora(`Resolving ${slug}…`).start();
     let installedSlugs = [];
     try {
         const slugs = opts.noDeps ? [slug] : await resolveOrder(slug);
         spinner.text = `Installing ${slugs.length} skill${slugs.length === 1 ? '' : 's'}…`;
-        const session = await loadCredentials();
         for (const s of slugs) {
             spinner.text = `↓ ${s}`;
-            await pullOne(s, { hasSession: Boolean(session), force: Boolean(opts.force) });
+            await pullOne(s, { hasSession: true, force: Boolean(opts.force) });
         }
         installedSlugs = slugs;
         spinner.succeed(`Installed ${slugs.length} skill${slugs.length === 1 ? '' : 's'} → ${CONFIG.skillsDir}`);
@@ -39,9 +45,6 @@ export async function installCommand(slug, opts = {}) {
         process.exitCode = 1;
         return;
     }
-    const session = await loadCredentials();
-    if (!session)
-        return;
     // Best-effort analyze pass on the freshly written files.
     for (const s of installedSlugs) {
         const path = join(CONFIG.skillsDir, s, 'SKILL.md');
@@ -55,7 +58,11 @@ export async function installCommand(slug, opts = {}) {
             /* file unreadable — skip */
         }
     }
-    // Offer to deploy to all configured agents.
+    // Offer to deploy to all configured agents — unless the caller already
+    // answered the question (e.g. `prave sync` collects the answer once for
+    // the whole batch and threads it through `skipDeployPrompt`).
+    if (opts.skipDeployPrompt)
+        return;
     const rl = createInterface({ input: process.stdin, output: process.stdout });
     try {
         const ans = (await rl.question('\nDeploy to all configured agents? [y/N] ')).trim().toLowerCase();

package/dist/commands/login.js

@@ -33,6 +33,16 @@ export async function loginCommand() {
                 user_id: data.user_id,
             });
             spinner.succeed('Logged in.');
+            // Onboarding: prefill from the SaaS profile, let the user toggle
+            // with space/enter, persist back, and offer to install hooks.
+            // Failures here are non-fatal — login succeeded.
+            try {
+                const { runAgentOnboarding } = await import('../lib/agent-onboarding.js');
+                await runAgentOnboarding();
+            }
+            catch (onboardErr) {
+                log.dim(`Agent onboarding skipped: ${onboardErr.message}`);
+            }
             return;
         }
         catch (err) {

package/dist/commands/optimize.js

@@ -1,6 +1,7 @@
 import chalk from 'chalk';
 import ora from 'ora';
 import { api, ApiError } from '../lib/api.js';
+import { requireAuth } from '../lib/credentials.js';
 import { log } from '../utils/logger.js';
 function formatTokens(n) {
     if (n < 1000)
@@ -11,6 +12,9 @@ function nameOf(s) {
     return s.name ?? s.file_path;
 }
 export async function optimizeCommand(opts = {}) {
+    const _session = await requireAuth("prave optimize");
+    if (!_session)
+        return;
     const spinner = ora('Analyzing your skill set…').start();
     try {
         const { data } = await api.get('/api/v1/intelligence/optimize', true);

package/dist/commands/overview.js

@@ -1,6 +1,7 @@
 import chalk from 'chalk';
 import ora from 'ora';
 import { api, ApiError } from '../lib/api.js';
+import { requireAuth } from '../lib/credentials.js';
 import { log } from '../utils/logger.js';
 function formatThousands(n) {
     if (n < 1000)
@@ -13,6 +14,9 @@ function pad(s, width) {
     return s + ' '.repeat(width - s.length);
 }
 export async function overviewCommand(opts = {}) {
+    const _session = await requireAuth("prave overview");
+    if (!_session)
+        return;
     if (opts.json) {
         try {
             const { data } = await api.get('/api/v1/intelligence/overview', true);

package/dist/commands/settings.js

@@ -1,8 +1,9 @@
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
 import { createInterface } from 'node:readline/promises';
 import chalk from 'chalk';
-import { AGENT_REGISTRY, AGENT_TYPES } from '@prave/shared';
+import { AGENT_REGISTRY } from '@prave/shared';
 import { api, ApiError } from '../lib/api.js';
+import { requireAuth } from '../lib/credentials.js';
 import { CONFIG } from '../lib/config.js';
 import { log } from '../utils/logger.js';
 function detectOs() {
@@ -35,37 +36,15 @@ async function patchSettings(patch) {
     const { data } = await api.put('/api/v1/settings/agents', patch, true);
     return data;
 }
-function isAgentType(s) {
-    return AGENT_TYPES.includes(s);
-}
-async function configureAgents(rl, current) {
-    console.log();
-    console.log(chalk.bold('Available agents:'));
-    for (const id of AGENT_TYPES) {
-        const meta = AGENT_REGISTRY[id];
-        const enabled = current.enabled_agents.includes(id) ? chalk.green('✓') : ' ';
-        console.log(`  ${enabled} ${chalk.cyan(meta.id.padEnd(8))} ${meta.label} ${chalk.dim('— ' + meta.description)}`);
-    }
-    const answer = (await rl.question(`\nEnter comma-separated agents to enable (default: ${current.enabled_agents.join(',') || 'claude'}): `)).trim();
-    let enabled = current.enabled_agents;
-    if (answer) {
-        const tokens = answer
-            .split(',')
-            .map((t) => t.trim().toLowerCase())
-            .filter(Boolean);
-        const invalid = tokens.filter((t) => !isAgentType(t));
-        if (invalid.length > 0) {
-            log.warn(`Unknown agents skipped: ${invalid.join(', ')}`);
-        }
-        enabled = tokens.filter(isAgentType);
-        if (enabled.length === 0) {
-            log.warn('No valid agents selected — keeping previous selection.');
-            return current;
-        }
-    }
-    const updated = await patchSettings({ enabled_agents: enabled });
+async function configureAgents(_rl, current) {
+    // Reuse the shared onboarding flow. Same UX as `prave login`: space to
+    // toggle, enter to confirm, plus an opt-in hook install. Persists via
+    // PUT /api/v1/settings/agents so web + CLI stay in lockstep.
+    const { runAgentOnboarding } = await import('../lib/agent-onboarding.js');
+    const updated = await runAgentOnboarding();
+    if (!updated)
+        return current;
     await saveLocalConfig(updated);
-    log.success(`Enabled agents: ${updated.enabled_agents.join(', ')}`);
     return updated;
 }
 async function configurePaths(rl, current) {
@@ -130,6 +109,9 @@ async function showAccount() {
     log.dim('Run `prave whoami` for full identity, or `prave logout` to sign out.');
 }
 export async function settingsCommand() {
+    const _session = await requireAuth("prave settings");
+    if (!_session)
+        return;
     const rl = createInterface({ input: process.stdin, output: process.stdout });
     try {
         let current;

package/dist/commands/sync.js

@@ -1,28 +1,35 @@
 import { readdir, stat } from 'node:fs/promises';
 import { join } from 'node:path';
+import { createInterface } from 'node:readline/promises';
 import chalk from 'chalk';
 import ora from 'ora';
 import { CONFIG } from '../lib/config.js';
-import { loadCredentials } from '../lib/credentials.js';
+import { requireAuth } from '../lib/credentials.js';
 import { fetchMyPlan, formatUpgradeHint } from '../lib/plan.js';
 import { log } from '../utils/logger.js';
 import { installCommand } from './install.js';
 /**
  * `prave sync` — re-pulls every locally installed Skill from the
  * registry. Picks up SKILL.md edits without the user having to remember
- * each slug. Skips deps (each top-level Skill already has its tree
- * resolved on the original install).
+ * each slug.
+ *
+ * The deploy-to-all-agents question is asked ONCE up-front for the entire
+ * queue (regression fix: it used to fire per Skill, forcing the user to
+ * mash `y` 30 times). The answer is then threaded into every
+ * `installCommand` invocation via `skipDeployPrompt: true` and we run a
+ * single batched deploy at the end.
  */
 export async function syncCommand() {
+    // Auth gate — sync mutates the install ledger and intelligence cache.
+    const session = await requireAuth('prave sync');
+    if (!session)
+        return;
     // Plan gate: sync requires Explorer or higher.
-    const session = await loadCredentials();
-    if (session) {
-        const me = await fetchMyPlan();
-        if (!me.limits.can_cli_sync) {
-            log.warn('Sync requires the Explorer plan or higher.');
-            log.dim(formatUpgradeHint('explorer'));
-            return;
-        }
+    const me = await fetchMyPlan();
+    if (!me.limits.can_cli_sync) {
+        log.warn('Sync requires the Explorer plan or higher.');
+        log.dim(formatUpgradeHint('explorer'));
+        return;
     }
     const spinner = ora('Scanning local Skills…').start();
     let entries = [];
@@ -44,11 +51,23 @@ export async function syncCommand() {
         return;
     }
     spinner.succeed(`Found ${slugs.length} installed Skill${slugs.length === 1 ? '' : 's'}.`);
+    // Ask the deploy question ONCE for the whole batch.
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    let deployAfter = false;
+    try {
+        const ans = (await rl.question(`\nAfter syncing, deploy all ${slugs.length} Skills to your configured agents? [y/N] `))
+            .trim()
+            .toLowerCase();
+        deployAfter = ans === 'y' || ans === 'yes';
+    }
+    finally {
+        rl.close();
+    }
     let updated = 0;
     let failed = 0;
     for (const slug of slugs) {
         try {
-            await installCommand(slug, { noDeps: true });
+            await installCommand(slug, { noDeps: true, skipDeployPrompt: true });
             updated++;
         }
         catch {
@@ -57,4 +76,27 @@ export async function syncCommand() {
         }
     }
     log.dim(`\nSynced ${updated} · failed ${failed}`);
+    if (deployAfter && updated > 0) {
+        const { deployCommand } = await import('./deploy.js');
+        log.info(`\nDeploying ${updated} Skills to configured agents…`);
+        for (const slug of slugs) {
+            try {
+                await deployCommand(slug, {});
+            }
+            catch (err) {
+                log.warn(`  ✗ deploy ${slug} — ${err.message}`);
+            }
+        }
+    }
+    // Tail end of sync: fire a quiet usage scan so the optimiser stays warm
+    // without the user having to remember an extra command. Quiet mode means
+    // we only log a one-liner ("Usage: 12 new, 88 known.") instead of taking
+    // over the spinner. Failures are non-fatal — sync's primary job is done.
+    try {
+        const { usageScanCommand } = await import('./usage.js');
+        await usageScanCommand({ quiet: true });
+    }
+    catch {
+        /* swallow — usage tracking is best-effort */
+    }
 }

package/dist/commands/update.js

@@ -0,0 +1,165 @@
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { createInterface } from 'node:readline/promises';
+import chalk from 'chalk';
+import ora from 'ora';
+import { api } from '../lib/api.js';
+import { CONFIG } from '../lib/config.js';
+import { requireAuth } from '../lib/credentials.js';
+import { log } from '../utils/logger.js';
+/**
+ * `prave update [<slug>]` — diff every CLI-installed Skill against its
+ * current Prave version and pull the ones that are outdated.
+ *
+ *   • No slug → walks the install ledger, compares each install's
+ *     `installed_at` vs the Skill's `updated_at`, and updates the stale
+ *     ones in-place under ~/.claude/skills/<slug>/SKILL.md.
+ *   • Slug given → updates exactly that Skill (force-pulls latest, even if
+ *     not stale — useful when the local file was edited and needs reset).
+ *
+ * Prints a short "audit-trail" line per Skill so the operator can see what
+ * changed: `markdown-pro  v3 → v5  (last pulled 12 Apr · published 21 Apr)`.
+ */
+export async function updateCommand(slug, opts = {}) {
+    const session = await requireAuth('prave update');
+    if (!session)
+        return;
+    const spinner = ora(slug ? `Resolving ${slug}…` : 'Checking your installed skills…').start();
+    let installs;
+    try {
+        const { data } = await api.get('/api/v1/me/installs', true);
+        installs = data;
+    }
+    catch (err) {
+        spinner.fail(`Couldn't fetch installs — ${err.message}`);
+        process.exitCode = 1;
+        return;
+    }
+    const targets = slug ? installs.filter((r) => r.skill?.slug === slug) : installs;
+    if (targets.length === 0) {
+        spinner.info(slug ? `${slug} is not in your install ledger.` : 'No installs on this account yet.');
+        return;
+    }
+    // Fetch the current Skill for each target in parallel.
+    spinner.text = `Comparing ${targets.length} skill${targets.length === 1 ? '' : 's'}…`;
+    const candidates = [];
+    const upToDate = [];
+    const errors = [];
+    await Promise.all(targets.map(async (row) => {
+        const targetSlug = row.skill?.slug;
+        if (!targetSlug)
+            return;
+        try {
+            const { data: skill } = await api.get(`/api/v1/skills/${targetSlug}`, true);
+            const isStale = isOutdated(row, skill, Boolean(slug));
+            if (!isStale) {
+                upToDate.push(targetSlug);
+                return;
+            }
+            candidates.push({
+                slug: targetSlug,
+                installedAt: row.installed_at,
+                serverUpdatedAt: skill.updated_at,
+                installedVersion: row.version ?? null,
+                latestVersion: typeof skill.current_version === 'number'
+                    ? skill.current_version ?? null
+                    : null,
+                remoteContent: skill.content ?? '',
+                localPath: join(CONFIG.skillsDir, targetSlug, 'SKILL.md'),
+            });
+        }
+        catch (err) {
+            errors.push(`${targetSlug}: ${err.message}`);
+        }
+    }));
+    if (candidates.length === 0) {
+        if (errors.length > 0) {
+            spinner.warn(`No updates available. ${errors.length} skill(s) couldn't be checked:`);
+            for (const e of errors)
+                log.dim(`  ✗ ${e}`);
+        }
+        else {
+            spinner.succeed(upToDate.length === 1
+                ? `${upToDate[0]} is up to date.`
+                : `All ${upToDate.length} installed skills are up to date.`);
+        }
+        return;
+    }
+    spinner.succeed(`${candidates.length} skill${candidates.length === 1 ? '' : 's'} can be updated.`);
+    // Audit-trail print — same format as a tiny commit log.
+    for (const c of candidates) {
+        const versionLine = c.installedVersion !== null && c.latestVersion !== null
+            ? `${chalk.dim('v')}${c.installedVersion} → ${chalk.bold('v' + c.latestVersion)}`
+            : chalk.dim('content-hash diff');
+        console.log(`  ${chalk.cyan('•')} ${chalk.bold(c.slug)}  ${versionLine}  ${chalk.dim(`(local ${formatDate(c.installedAt)} → registry ${formatDate(c.serverUpdatedAt)})`)}`);
+    }
+    if (opts.dryRun) {
+        log.dim(`\nDry run — nothing written. Re-run without --dry-run to apply.`);
+        return;
+    }
+    if (!opts.yes) {
+        const rl = createInterface({ input: process.stdin, output: process.stdout });
+        try {
+            const ans = (await rl.question(`\nPull ${candidates.length} update${candidates.length === 1 ? '' : 's'}? [Y/n] `))
+                .trim()
+                .toLowerCase();
+            if (ans && ans !== 'y' && ans !== 'yes') {
+                log.dim('Aborted.');
+                return;
+            }
+        }
+        finally {
+            rl.close();
+        }
+    }
+    const writeSpinner = ora(`Writing ${candidates.length} update${candidates.length === 1 ? '' : 's'}…`).start();
+    let written = 0;
+    for (const c of candidates) {
+        try {
+            await mkdir(join(CONFIG.skillsDir, c.slug), { recursive: true });
+            await writeFile(c.localPath, c.remoteContent, 'utf8');
+            // Re-record the install row so installed_at/version reflect the pull.
+            await api
+                .post(`/api/v1/skills/${encodeURIComponent(c.slug)}/install`, { version: c.latestVersion ?? null }, true)
+                .catch(() => { });
+            written += 1;
+        }
+        catch (err) {
+            writeSpinner.warn(`${c.slug}: ${err.message}`);
+        }
+    }
+    writeSpinner.succeed(`Updated ${written}/${candidates.length}${written === candidates.length ? '' : ` (${candidates.length - written} failed)`}.`);
+    if (errors.length > 0) {
+        log.dim(`\n${errors.length} skill(s) couldn't be checked earlier:`);
+        for (const e of errors)
+            log.dim(`  ✗ ${e}`);
+    }
+}
+/**
+ * "Stale" = the registry's `updated_at` is strictly newer than the
+ * install ledger's `installed_at`. For an explicit `prave update <slug>`
+ * we always treat the row as stale — the user is asking for a forced pull,
+ * which is also the right behaviour after a local edit gone wrong.
+ */
+function isOutdated(row, skill, force) {
+    if (force)
+        return true;
+    const installedTs = new Date(row.installed_at).getTime();
+    const updatedTs = new Date(skill.updated_at).getTime();
+    return Number.isFinite(installedTs) && Number.isFinite(updatedTs) && updatedTs > installedTs;
+}
+function formatDate(iso) {
+    const d = new Date(iso);
+    if (Number.isNaN(d.getTime()))
+        return iso;
+    return d.toLocaleDateString(undefined, { month: 'short', day: 'numeric' });
+}
+/** Read the local SKILL.md content if it exists — for the `--from-disk` flag (Phase 2). */
+export async function readLocalSkillContent(slug) {
+    try {
+        return await readFile(join(CONFIG.skillsDir, slug, 'SKILL.md'), 'utf8');
+    }
+    catch {
+        return null;
+    }
+}