@prave/cli 1.2.0 → 1.2.2

package/README.md

@@ -172,7 +172,7 @@ API health and uptime: [status.prave.app](https://status.prave.app) — auto-ref
 - 📖 [**CLI Cheat Sheet**](https://prave.app/docs/cli/cheat-sheet) — every command on one page
 - 💚 [**status.prave.app**](https://status.prave.app) — real-time health
 - 🐛 [**GitHub Issues**](https://github.com/eppstudio/prave/issues) — bug reports & feature requests
-- ✉️ [info@epplab-studio.de](mailto:info@epplab-studio.de) — direct contact
+- ✉️ [hello@epplab-studio.de](mailto:hello@epplab-studio.de) — direct contact
 
 ## License
 

package/dist/commands/conflicts.js

@@ -1,9 +1,47 @@
+import { stat } from 'node:fs/promises';
+import { join } from 'node:path';
 import chalk from 'chalk';
 import ora from 'ora';
 import { track } from '../lib/analytics.js';
 import { api, ApiError } from '../lib/api.js';
+import { CONFIG } from '../lib/config.js';
 import { requireAuth } from '../lib/credentials.js';
+import { checkboxPrompt } from '../lib/prompt.js';
+import { isValidSlug } from '../lib/slug.js';
 import { log } from '../utils/logger.js';
+import { uninstallCommand } from './uninstall.js';
+/**
+ * Resolve a `skill_metadata` row back to its on-disk slug, mirroring
+ * the canonical `~/.claude/skills/<slug>/SKILL.md` layout used by
+ * `prave optimize --remove-unused`. Returns `null` when the slug
+ * fails the registry regex (defence against `..` injection via a
+ * malformed `file_path`).
+ */
+function slugOf(s) {
+    const segs = s.file_path?.split('/').filter(Boolean) ?? [];
+    let candidate = null;
+    if (segs.length >= 2) {
+        const last = segs[segs.length - 1];
+        const parent = segs[segs.length - 2];
+        if (last.toLowerCase().endsWith('skill.md'))
+            candidate = parent;
+    }
+    if (!candidate && s.name) {
+        candidate = s.name.trim().toLowerCase().replace(/\s+/g, '-');
+    }
+    if (!candidate)
+        return null;
+    return isValidSlug(candidate) ? candidate : null;
+}
+async function existsOnDisk(slug) {
+    try {
+        const st = await stat(join(CONFIG.skillsDir, slug));
+        return st.isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
 function describe(c) {
     const a = c.skill_a_name ?? c.skill_a_id;
     const b = c.skill_b_name ?? c.skill_b_id;
@@ -44,8 +82,70 @@ export async function conflictsCommand(opts = {}) {
             console.log(`${chalk.yellow('⚠️ ')} ${describe(c)}`);
         }
         if (opts.fix) {
+            // Interactive resolution: the most common (and safest) fix for a
+            // conflict is uninstalling one of the two competing Skills. We
+            // build a checkbox list of the unique slugs that appear in the
+            // conflict set, restricted to ones we can resolve back to a real
+            // on-disk folder (so we never offer to "uninstall" something the
+            // user hasn't actually got installed).
+            let metadata = [];
+            try {
+                const { data } = await api.get('/api/v1/intelligence/skills', true);
+                metadata = data;
+            }
+            catch (err) {
+                log.warn(`Could not fetch skill metadata — ${err.message}`);
+            }
+            // Tally how many conflicts each Skill participates in. Heuristic:
+            // a skill that conflicts with two others is the strongest fix
+            // candidate (uninstalling it resolves multiple rows at once), so
+            // we surface it first.
+            const conflictCount = new Map();
+            for (const c of conflicts) {
+                conflictCount.set(c.skill_a_id, (conflictCount.get(c.skill_a_id) ?? 0) + 1);
+                conflictCount.set(c.skill_b_id, (conflictCount.get(c.skill_b_id) ?? 0) + 1);
+            }
+            const candidates = [];
+            const seen = new Set();
+            for (const m of metadata) {
+                if (!conflictCount.has(m.id))
+                    continue;
+                const slug = slugOf(m);
+                if (!slug || seen.has(slug))
+                    continue;
+                if (!(await existsOnDisk(slug)))
+                    continue;
+                seen.add(slug);
+                candidates.push({
+                    slug,
+                    name: m.name ?? slug,
+                    count: conflictCount.get(m.id) ?? 1,
+                });
+            }
+            candidates.sort((a, b) => b.count - a.count || a.slug.localeCompare(b.slug));
+            if (candidates.length === 0) {
+                console.log();
+                log.dim('Nothing to auto-fix — no conflicting Skills are installed under ~/.claude/skills/. ' +
+                    'Run `prave whatdoes <skill>` to inspect frontmatter and resolve manually.');
+                return;
+            }
+            console.log();
+            const picks = await checkboxPrompt('Select Skills to uninstall:', candidates.map((c) => ({
+                value: c.slug,
+                label: c.name,
+                hint: c.count > 1
+                    ? `${c.count} conflicts · ${c.slug}`
+                    : `1 conflict · ${c.slug}`,
+            })));
+            if (!picks || picks.length === 0) {
+                log.dim('Aborted — nothing removed.');
+                return;
+            }
+            for (const slug of picks) {
+                await uninstallCommand(slug);
+            }
             console.log();
-            log.dim('Interactive fix coming soon — for now run `prave whatdoes <skill>` and adjust frontmatter manually.');
+            log.dim(`Removed ${picks.length} skill(s). Run ${chalk.cyan('prave sync')} to refresh server-side metadata.`);
         }
     }
     catch (err) {

package/dist/commands/login.js

@@ -39,6 +39,17 @@ export async function loginCommand() {
                 expires_at: data.expires_at ?? undefined,
             });
             spinner.succeed('Logged in.');
+            // Replay any Skill-invocation events the hook buffered while the
+            // user was offline / signed out. Silent when nothing's queued;
+            // prints "Syncing N events…" + a confirmation when the file has
+            // real backlog. Failures swallowed inside.
+            try {
+                const { flushBufferedTelemetry } = await import('../lib/flush-telemetry.js');
+                await flushBufferedTelemetry();
+            }
+            catch (flushErr) {
+                log.dim(`Telemetry sync skipped: ${flushErr.message}`);
+            }
             // Onboarding: prefill from the SaaS profile, let the user toggle
             // with space/enter, persist back, and offer to install hooks.
             // Failures here are non-fatal — login succeeded.

package/dist/commands/optimize.js

@@ -1,9 +1,13 @@
+import { stat } from 'node:fs/promises';
+import { join } from 'node:path';
+import readline from 'node:readline/promises';
 import chalk from 'chalk';
 import ora from 'ora';
-import readline from 'node:readline/promises';
 import { track } from '../lib/analytics.js';
 import { api, ApiError } from '../lib/api.js';
+import { CONFIG } from '../lib/config.js';
 import { requireAuth } from '../lib/credentials.js';
+import { checkboxPrompt } from '../lib/prompt.js';
 import { isValidSlug } from '../lib/slug.js';
 import { log } from '../utils/logger.js';
 import { uninstallCommand } from './uninstall.js';
@@ -40,6 +44,15 @@ function slugOf(s) {
     // injected via a malformed `file_path`.
     return isValidSlug(candidate) ? candidate : null;
 }
+async function existsOnDisk(slug) {
+    try {
+        const st = await stat(join(CONFIG.skillsDir, slug));
+        return st.isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
 async function confirmYesNo(question) {
     const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
     try {
@@ -121,10 +134,57 @@ export async function optimizeCommand(opts = {}) {
             log.dim(`Removed ${candidates.length} skill(s). Run ${chalk.cyan('prave sync')} to update server-side metadata.`);
         }
         else if (opts.apply) {
+            // `--apply` is the unified interactive cleanup: pick from the
+            // *underused* + *heavy* lists at once and uninstall whatever the
+            // user agrees to. This is strictly safer than blanket-deleting
+            // because every selection is opt-in.
+            //
+            // Merge candidates are intentionally NOT auto-actionable — merging
+            // two Skills is a content-rewrite that the user has to do by hand.
+            // We surface them above and leave them for the suggestions panel.
+            const offer = [];
+            const seen = new Set();
+            const push = (skill, bucket) => {
+                const slug = slugOf(skill);
+                if (!slug || seen.has(slug))
+                    return;
+                seen.add(slug);
+                offer.push({ slug, skill, bucket });
+            };
+            for (const s of data.underused)
+                push(s, 'underused');
+            for (const s of data.heavy)
+                push(s, 'heavy');
+            // Filter to ones actually present on disk — the API returns
+            // metadata for slug-keyed self-heal stubs that may not have a
+            // matching folder.
+            const installed = [];
+            for (const item of offer) {
+                if (await existsOnDisk(item.slug))
+                    installed.push(item);
+            }
+            if (installed.length === 0) {
+                console.log();
+                log.dim('Nothing on disk to clean up — every flagged skill is either uninstalled already or only relevant to merge candidates (which need a manual rewrite).');
+                return;
+            }
+            console.log();
+            const picks = await checkboxPrompt('Pick skills to uninstall:', installed.map((i) => ({
+                value: i.slug,
+                label: nameOf(i.skill),
+                hint: i.bucket === 'underused'
+                    ? `underused · ${formatTokens(i.skill.estimated_tokens)} · ${i.slug}`
+                    : `heavy · ${formatTokens(i.skill.estimated_tokens)} · ${i.slug}`,
+            })));
+            if (!picks || picks.length === 0) {
+                log.dim('Aborted — nothing removed.');
+                return;
+            }
+            for (const slug of picks) {
+                await uninstallCommand(slug);
+            }
             console.log();
-            log.dim('Auto-apply not available — use ' +
-                chalk.cyan('prave optimize --remove-unused') +
-                ' to delete underused skills, or review the suggestions and adjust manually.');
+            log.dim(`Removed ${picks.length} skill(s). Run ${chalk.cyan('prave sync')} to refresh server-side metadata.`);
         }
     }
     catch (err) {

package/dist/commands/usage.js

@@ -7,6 +7,7 @@ import { api, ApiError } from '../lib/api.js';
 import { CONFIG } from '../lib/config.js';
 import { requireAuth } from '../lib/credentials.js';
 import { HOOK_SUPPORTED, installHooksForAgents, uninstallHooksForAgents, } from '../lib/hook.js';
+import { bufferEvent } from '../lib/telemetry-buffer.js';
 import { AGENT_REGISTRY } from '@prave/shared';
 import { loadCursor, saveCursor } from '../lib/usage-cursor.js';
 import { scanTranscriptsForUsage } from '../lib/usage-scanner.js';
@@ -104,53 +105,61 @@ export async function usageScanCommand(opts) {
     }
 }
 /**
- * `prave usage report` — invoked by the Claude Code `PostToolUse` hook.
+ * `prave usage report` — invoked by the Claude Code `PostToolUse` hook
+ * (and, when `--source=prompt`, the companion `UserPromptSubmit` hook).
  * Reads the hook payload from stdin, extracts the Skill name, and fires
  * a single-event POST against the slug-keyed self-healing endpoint.
  * Errors are silent (we never want a hook failure to disturb the user's
- * workflow); set `PRAVE_DEBUG=1` to see what's happening in
- * `~/.prave/usage.log`.
+ * workflow); a rotated `~/.prave/hook.log` always captures the last 200
+ * fires so users can verify telemetry without flipping `PRAVE_DEBUG=1`.
+ *
+ * Hook discipline:
+ *   - reads stdin with a 250 ms cap so we never block Claude Code
+ *   - one POST attempt with a hard 4 s deadline (background-friendly)
+ *   - on auth/network failure we log + bail; never throw
  */
-export async function usageReportCommand() {
+export async function usageReportCommand(opts = {}) {
     const debug = process.env.PRAVE_DEBUG === '1' || process.env.PRAVE_DEBUG === 'true';
+    const source = opts.source === 'prompt' ? 'prompt' : 'tool';
+    await rotateHookLog();
     const stdinPayload = await readStdin();
     if (!stdinPayload) {
+        await hookLog(`${source}:no-stdin`);
         if (debug)
             await debugLog('no stdin payload');
         return;
     }
     if (debug)
-        await debugLog(`stdin len=${stdinPayload.length}`);
+        await debugLog(`stdin len=${stdinPayload.length} source=${source}`);
     // Claude Code's PostToolUse payload is documented as `{tool_name,
-    // tool_input, tool_response, ...}`, but we still defend against
-    // alternate shapes (capitalisation, future schema drift) so the hook
-    // doesn't silently break on a single field rename.
+    // tool_input, tool_response, ...}`. UserPromptSubmit ships
+    // `{ prompt, ... }`. We defend against alternate shapes (capitalisation,
+    // future schema drift) so the hook doesn't silently break on a single
+    // field rename.
     let parsed = {};
     try {
         parsed = JSON.parse(stdinPayload);
     }
     catch {
+        await hookLog(`${source}:bad-json`);
         if (debug)
             await debugLog('payload is not valid JSON');
         return;
     }
-    const rawSlug = extractSkillSlug(parsed);
+    const rawSlug = source === 'prompt' ? extractSlashCommand(parsed) : extractSkillSlug(parsed);
     if (!rawSlug) {
+        await hookLog(`${source}:no-slug`);
         if (debug)
             await debugLog(`no skill slug in payload: ${stdinPayload.slice(0, 200)}`);
         return;
     }
     const slug = rawSlug.toLowerCase().split(':').pop()?.trim().replace(/[^a-z0-9_-]+/g, '-');
-    if (!slug)
+    if (!slug) {
+        await hookLog(`${source}:empty-slug`);
         return;
+    }
     if (debug)
         await debugLog(`slug=${slug}`);
-    const session = await requireAuthSilent();
-    if (!session) {
-        if (debug)
-            await debugLog('no auth — skipping');
-        return;
-    }
     // Build the telemetry blob from whatever Claude Code shipped in the
     // payload. Everything is best-effort — missing fields just don't
     // appear in `meta`. The server schema (usageMetaSchema) validates
@@ -178,23 +187,77 @@ export async function usageReportCommand() {
         if (typeof obj.prompt === 'string')
             meta.prompt_chars = obj.prompt.length;
     }
+    const triggered_at = new Date().toISOString();
+    const session = await requireAuthSilent();
+    // No credentials? Don't drop the event — buffer it to disk. The next
+    // `prave login` (or any authenticated command that calls
+    // `flushBufferedTelemetry`) replays the file against the same
+    // by-slug endpoint, so no Skill invocation is ever lost just because
+    // the user happened to be signed out at hook-fire time.
+    if (!session) {
+        await bufferEvent({
+            slug,
+            agent_type: 'claude',
+            triggered_at,
+            meta: { ...meta, source },
+        });
+        await hookLog(`${source}:buffered slug=${slug}`);
+        if (debug)
+            await debugLog(`no auth — buffered to telemetry-queue`);
+        return;
+    }
     try {
         const { data } = await api.post('/api/v1/intelligence/usage/by-slug', {
             slug,
             agent_type: 'claude',
-            triggered_at: new Date().toISOString(),
-            meta,
+            triggered_at,
+            meta: { ...meta, source },
         }, true);
+        await hookLog(`${source}:ok slug=${slug} recorded=${data.recorded} stub=${data.created_stub}`);
         if (debug) {
             await debugLog(`ok recorded=${data.recorded} stub=${data.created_stub} meta=${JSON.stringify(meta)}`);
         }
     }
     catch (err) {
+        // Network down or API error while authenticated — also buffer so
+        // the event isn't lost. The next successful command will replay.
+        await bufferEvent({
+            slug,
+            agent_type: 'claude',
+            triggered_at,
+            meta: { ...meta, source },
+        });
+        const msg = err.message;
+        await hookLog(`${source}:buffered-on-err slug=${slug} ${msg.slice(0, 80)}`);
         if (debug)
-            await debugLog(`error: ${err.message}`);
-        /* silent — never break the host shell */
+            await debugLog(`api error, buffered: ${msg}`);
     }
 }
+/**
+ * Extract a slash-command name from a UserPromptSubmit payload. Claude
+ * Code ships `{ prompt: '/graphify ...' }` (and tolerates leading
+ * whitespace). We treat the first whitespace-separated token after `/`
+ * as the slug. Returns `null` for non-slash prompts so we don't waste
+ * an API hop on every keystroke.
+ */
+function extractSlashCommand(payload) {
+    const candidates = [
+        payload.prompt,
+        payload.user_prompt,
+        payload.input,
+    ];
+    for (const c of candidates) {
+        if (typeof c !== 'string')
+            continue;
+        const trimmed = c.trimStart();
+        if (!trimmed.startsWith('/'))
+            continue;
+        const token = trimmed.slice(1).split(/[\s\n\r]/, 1)[0] ?? '';
+        if (token)
+            return token;
+    }
+    return null;
+}
 /**
  * Walk the hook payload looking for the invoked Skill's slug. Tries the
  * documented Claude Code path first, then several plausible aliases so
@@ -226,6 +289,45 @@ async function debugLog(line) {
         /* swallow — debug is best-effort */
     }
 }
+/**
+ * Always-on per-fire breadcrumb log so users can answer "did the hook
+ * run?" without flipping `PRAVE_DEBUG=1`. Capped at 200 lines (rotated
+ * lazily by `rotateHookLog`). Lives at `~/.prave/hook.log`.
+ */
+async function hookLog(line) {
+    try {
+        const { mkdir, appendFile } = await import('node:fs/promises');
+        const { join } = await import('node:path');
+        await mkdir(CONFIG.praveDir, { recursive: true });
+        const stamp = new Date().toISOString();
+        await appendFile(join(CONFIG.praveDir, 'hook.log'), `${stamp} ${line}\n`);
+    }
+    catch {
+        /* swallow */
+    }
+}
+const HOOK_LOG_MAX_LINES = 200;
+async function rotateHookLog() {
+    try {
+        const { stat, readFile, writeFile } = await import('node:fs/promises');
+        const { join } = await import('node:path');
+        const path = join(CONFIG.praveDir, 'hook.log');
+        const info = await stat(path).catch(() => null);
+        // Only do the read-rewrite dance occasionally — when the file gets
+        // big enough that we suspect overflow. 32 KB ≈ 200 short lines.
+        if (!info || info.size < 32 * 1024)
+            return;
+        const raw = await readFile(path, 'utf8');
+        const lines = raw.split('\n');
+        if (lines.length <= HOOK_LOG_MAX_LINES)
+            return;
+        const trimmed = lines.slice(-HOOK_LOG_MAX_LINES).join('\n');
+        await writeFile(path, trimmed, 'utf8');
+    }
+    catch {
+        /* swallow */
+    }
+}
 export async function usageHookInstallCommand() {
     track('cli_usage_hook_install');
     const session = await requireAuth('prave usage hook install');
@@ -269,16 +371,22 @@ export async function usageStatusCommand() {
     const { readFile } = await import('node:fs/promises');
     const { join } = await import('node:path');
     const { homedir } = await import('node:os');
-    // 1. Hook installed?
+    // 1. Hook installed? Check both channels we manage.
     const settingsPath = join(homedir(), '.claude', 'settings.json');
-    let hookInstalled = false;
+    let toolHookInstalled = false;
+    let promptHookInstalled = false;
     try {
         const raw = await readFile(settingsPath, 'utf8');
-        hookInstalled = raw.includes('__prave_managed') && raw.includes('Skill');
+        const parsed = JSON.parse(raw);
+        toolHookInstalled =
+            (parsed.hooks?.PostToolUse ?? []).some((b) => b.matcher === 'Skill' && (b.hooks ?? []).some((h) => h.__prave_managed === true));
+        promptHookInstalled =
+            (parsed.hooks?.UserPromptSubmit ?? []).some((b) => (b.hooks ?? []).some((h) => h.__prave_managed === true));
     }
     catch {
         /* no settings.json yet */
     }
+    const hookInstalled = toolHookInstalled && promptHookInstalled;
     // 2. Last 7 days of recorded events from the API.
     let recent7 = 0;
     let topSlugs = [];
@@ -300,14 +408,33 @@ export async function usageStatusCommand() {
     catch {
         /* never scanned */
     }
-    // 4. Debug log tail.
-    const logPath = join(CONFIG.praveDir, 'usage.log');
-    const debugAvailable = existsSync(logPath);
+    // 4. Debug log + hook log tails.
+    const debugLogPath = join(CONFIG.praveDir, 'usage.log');
+    const hookLogPath = join(CONFIG.praveDir, 'hook.log');
+    const debugAvailable = existsSync(debugLogPath);
+    const hookLogAvailable = existsSync(hookLogPath);
+    // 5. API reachability — token-validating ping. We already passed
+    // `requireAuth` above so the credentials file exists; this round-trip
+    // just confirms the access_token is still accepted server-side. If the
+    // hook has been silently 401-ing for a week, this is the only way the
+    // user finds out without flipping `PRAVE_DEBUG=1`.
+    let apiReachable = false;
+    let apiMessage = '';
+    try {
+        await api.get('/api/v1/intelligence/usage/recent?days=1', true);
+        apiReachable = true;
+    }
+    catch (err) {
+        apiMessage =
+            err instanceof ApiError ? `${err.status} ${err.message}` : err.message;
+    }
     // Render.
-    const checkmark = (ok) => (ok ? chalk.green('✓') : chalk.dim('—'));
+    const checkmark = (ok) => (ok ? chalk.green('✓') : chalk.red('✗'));
     log.info(chalk.bold('Usage tracking status'));
     console.log();
-    console.log(`  ${checkmark(hookInstalled)} Real-time hook (Claude Code): ${hookInstalled ? chalk.green('installed') : chalk.yellow('not installed — `prave usage hook install`')}`);
+    console.log(`  ${checkmark(toolHookInstalled)} PostToolUse hook (Skill tool fires): ${toolHookInstalled ? chalk.green('installed') : chalk.yellow('missing — `prave usage hook install`')}`);
+    console.log(`  ${checkmark(promptHookInstalled)} UserPromptSubmit hook (slash commands like /graphify): ${promptHookInstalled ? chalk.green('installed') : chalk.yellow('missing — `prave usage hook install`')}`);
+    console.log(`  ${checkmark(apiReachable)} API reachable + auth valid: ${apiReachable ? chalk.green('yes') : chalk.red(apiMessage || 'no')}`);
     console.log(`  ${checkmark(Boolean(lastScanAt))} Transcript scanner watermark: ${lastScanAt ?? chalk.dim('never run — `prave sync` includes it')}`);
     console.log(`  ${checkmark(recent7 > 0)} Events in last 7 days: ${chalk.cyan(String(recent7))}`);
     if (topSlugs.length) {
@@ -317,20 +444,41 @@ export async function usageStatusCommand() {
             console.log(`    ${chalk.cyan(s.count.toString().padStart(4))}  ${s.name}`);
         }
     }
-    console.log();
-    if (debugAvailable) {
-        log.dim(`Debug log: ${logPath}`);
-        log.dim('Set PRAVE_DEBUG=1 in your shell to enable verbose hook logging.');
-    }
-    else {
-        log.dim('No debug log yet. Set PRAVE_DEBUG=1 to capture every hook fire to ~/.prave/usage.log');
+    // Last 5 hook fires — the breadcrumb trail that answers "did the hook
+    // even run when I typed /graphify?". Read the bottom of hook.log.
+    if (hookLogAvailable) {
+        try {
+            const raw = await readFile(hookLogPath, 'utf8');
+            const tail = raw.trimEnd().split('\n').slice(-5);
+            if (tail.length) {
+                console.log();
+                console.log(chalk.dim('  Last hook fires:'));
+                for (const line of tail)
+                    console.log(`    ${chalk.dim(line)}`);
+            }
+        }
+        catch {
+            /* swallow */
+        }
     }
-    if (recent7 === 0) {
+    console.log();
+    log.dim(`Hook breadcrumb log: ${hookLogPath}`);
+    if (debugAvailable)
+        log.dim(`Verbose debug log:    ${debugLogPath}`);
+    log.dim('Set PRAVE_DEBUG=1 in your shell to enable verbose hook logging.');
+    if (!hookInstalled || !apiReachable || recent7 === 0) {
         console.log();
-        log.warn('No events recorded yet. Quick checks:');
-        log.dim('  1. Is the hook installed? See checkmarks above.');
-        log.dim('  2. Run a Skill in Claude Code, then `tail ~/.prave/usage.log` (with PRAVE_DEBUG=1)');
-        log.dim('  3. Or run `prave usage scan --since 7d` to backfill from transcripts.');
+        log.warn('Telemetry may be incomplete. Suggested fixes:');
+        if (!toolHookInstalled || !promptHookInstalled) {
+            log.dim('  • Run `prave usage hook install` to wire BOTH PostToolUse and UserPromptSubmit.');
+        }
+        if (!apiReachable) {
+            log.dim('  • Run `prave login` — your access token may have expired (silently 401-ing).');
+        }
+        if (recent7 === 0 && hookInstalled && apiReachable) {
+            log.dim('  • Run a Skill in Claude Code, then re-run `prave usage status`.');
+            log.dim('  • Or run `prave usage scan --since 7d` to backfill from transcripts.');
+        }
     }
 }
 async function fetchEnabledAgents() {
@@ -414,13 +562,37 @@ function parseSinceFlag(raw) {
 async function readStdin() {
     if (process.stdin.isTTY)
         return '';
-    const chunks = [];
-    for await (const chunk of process.stdin) {
-        chunks.push(typeof chunk === 'string' ? Buffer.from(chunk) : chunk);
-        if (Buffer.concat(chunks).length > 1_000_000)
-            break;
-    }
-    return Buffer.concat(chunks).toString('utf8');
+    // Hard 1.5 s cap so a stuck pipe never blocks Claude Code's tool flow.
+    // 1 MB payload cap so a runaway stream can't OOM the hook either.
+    return new Promise((resolve) => {
+        const chunks = [];
+        let total = 0;
+        let settled = false;
+        const finish = () => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(Buffer.concat(chunks).toString('utf8'));
+        };
+        const timer = setTimeout(finish, 1500);
+        process.stdin.on('data', (chunk) => {
+            const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+            chunks.push(buf);
+            total += buf.length;
+            if (total > 1_000_000) {
+                clearTimeout(timer);
+                finish();
+            }
+        });
+        process.stdin.once('end', () => {
+            clearTimeout(timer);
+            finish();
+        });
+        process.stdin.once('error', () => {
+            clearTimeout(timer);
+            finish();
+        });
+    });
 }
 /**
  * Auth check with no UX side-effects. Used by the hook so a logged-out

package/dist/index.js

@@ -119,12 +119,12 @@ program
 program
     .command('conflicts')
     .description('Detect overlap, collisions, and missing dependencies')
-    .option('--fix', 'placeholder for interactive fix flow')
+    .option('--fix', 'after listing conflicts, interactively pick installed Skills to uninstall to resolve them')
     .action(conflictsCommand);
 program
     .command('optimize')
     .description('Recommendations: underused, mergeable, and heavy skills')
-    .option('--apply', 'placeholder for auto-apply')
+    .option('--apply', 'after listing recommendations, interactively pick underused + heavy skills to uninstall')
     .option('--remove-unused', 'interactively delete skills that have not fired in 30+ days from ~/.claude/skills/')
     .option('--yes', 'with --remove-unused: skip the confirmation prompt')
     .action(optimizeCommand);
@@ -143,8 +143,9 @@ usage
     .action(usageStatusCommand);
 usage
     .command('report')
-    .description('Internal: invoked by the Claude Code PostToolUse hook (reads stdin)')
-    .action(usageReportCommand);
+    .description('Internal: invoked by the Claude Code PostToolUse / UserPromptSubmit hook (reads stdin)')
+    .option('--source <kind>', 'hook channel that fired this report ("tool" or "prompt")', 'tool')
+    .action((opts) => usageReportCommand(opts));
 const hook = usage.command('hook').description('Install/uninstall the Claude Code real-time usage hook');
 hook
     .command('install')

package/dist/lib/flush-telemetry.js

@@ -0,0 +1,42 @@
+import chalk from 'chalk';
+import { api } from './api.js';
+import { log } from '../utils/logger.js';
+import { flushBuffered, pendingTelemetryCount, } from './telemetry-buffer.js';
+/**
+ * Replay any offline-buffered Skill-invocation events. Called by
+ * `prave login` (right after credentials land on disk) and also by
+ * the API client on every successful authenticated request, so the
+ * queue drains opportunistically even without a fresh login.
+ *
+ * Behavior:
+ *   - silent when the queue is empty (most invocations)
+ *   - prints "Syncing N telemetry events…" + a success or partial
+ *     line when there's a non-zero count
+ *   - never throws — telemetry failures must not break the CLI
+ *
+ * `force` skips the early "empty?" check, useful right after login
+ * where we know we just succeeded and want the user to see whatever
+ * sync number lands (even if zero — feels reassuring).
+ */
+export async function flushBufferedTelemetry(opts = {}) {
+    try {
+        const pending = await pendingTelemetryCount();
+        if (pending === 0 && !opts.force)
+            return;
+        if (pending === 0)
+            return; // even with force, no spinner for 0
+        log.info(`${chalk.cyan('●')} You have telemetry updates from offline sessions. Syncing ${chalk.bold(pending)} event${pending === 1 ? '' : 's'} to your dashboard…`);
+        const result = await flushBuffered(async (body) => {
+            await api.post('/api/v1/intelligence/usage/by-slug', body, true);
+        });
+        if (result.failed === 0) {
+            log.success(`Synced ${chalk.bold(result.sent)} telemetry event${result.sent === 1 ? '' : 's'}. Dashboard is up to date.`);
+        }
+        else {
+            log.warn(`Synced ${result.sent} of ${result.total} — ${result.failed} will retry on the next run.`);
+        }
+    }
+    catch {
+        /* swallow — telemetry sync is best-effort */
+    }
+}

package/dist/lib/hook.js

@@ -22,25 +22,50 @@ const HOOK_MARKER = '__prave_managed';
  */
 export const HOOK_SUPPORTED = ['claude'];
 const HOOK_COMMAND = 'prave usage report';
+// Companion command for the UserPromptSubmit channel so a typed-slash
+// `/graphify` is captured even when the Skill tool path doesn't fire a
+// matching PostToolUse with a populated `tool_input.skill` field.
+const PROMPT_HOOK_COMMAND = 'prave usage report --source=prompt';
+/**
+ * Install on BOTH `PostToolUse` (matcher `Skill`) and `UserPromptSubmit`
+ * (catches slash commands like `/graphify` before tool dispatch). The two
+ * channels are deduped server-side by per-minute bucket, so double-fires
+ * for the same Skill in the same minute land as a single row — but every
+ * additional minute of activity is preserved. Idempotent + atomic.
+ */
 export async function installSkillHook() {
     const settings = await readSettings();
     settings.hooks ??= {};
     settings.hooks.PostToolUse ??= [];
-    const blocks = settings.hooks.PostToolUse;
-    const existingIdx = blocks.findIndex((b) => b.matcher === 'Skill' && b.hooks?.some((h) => h[HOOK_MARKER]));
-    const fresh = {
+    settings.hooks.UserPromptSubmit ??= [];
+    const postBlocks = settings.hooks.PostToolUse;
+    const promptBlocks = settings.hooks.UserPromptSubmit;
+    const postFresh = {
         matcher: 'Skill',
         hooks: [{ type: 'command', command: HOOK_COMMAND, [HOOK_MARKER]: true }],
     };
-    if (existingIdx >= 0) {
-        const existingCmd = blocks[existingIdx]?.hooks?.[0]?.command;
-        if (existingCmd === HOOK_COMMAND) {
-            return { installed: false, alreadyPresent: true, settingsPath: SETTINGS_PATH };
+    const promptFresh = {
+        // UserPromptSubmit has no matcher concept in Claude Code today — the
+        // hook script itself filters for `prompt.startsWith('/')` before
+        // doing any work.
+        hooks: [{ type: 'command', command: PROMPT_HOOK_COMMAND, [HOOK_MARKER]: true }],
+    };
+    const upsert = (blocks, fresh, expectedCmd) => {
+        const idx = blocks.findIndex((b) => b.matcher === fresh.matcher && b.hooks?.some((h) => h[HOOK_MARKER]));
+        if (idx >= 0) {
+            const existingCmd = blocks[idx]?.hooks?.[0]?.command;
+            if (existingCmd === expectedCmd)
+                return false;
+            blocks[idx] = fresh;
+            return true;
         }
-        blocks[existingIdx] = fresh;
-    }
-    else {
         blocks.push(fresh);
+        return true;
+    };
+    const changedPost = upsert(postBlocks, postFresh, HOOK_COMMAND);
+    const changedPrompt = upsert(promptBlocks, promptFresh, PROMPT_HOOK_COMMAND);
+    if (!changedPost && !changedPrompt) {
+        return { installed: false, alreadyPresent: true, settingsPath: SETTINGS_PATH };
     }
     await writeSettings(settings);
     return { installed: true, alreadyPresent: false, settingsPath: SETTINGS_PATH };
@@ -93,25 +118,35 @@ export async function uninstallHooksForAgents(agents) {
 }
 export async function uninstallSkillHook() {
     const settings = await readSettings();
-    const blocks = settings.hooks?.PostToolUse;
-    if (!blocks?.length)
+    if (!settings.hooks)
         return { removed: false, settingsPath: SETTINGS_PATH };
-    const before = blocks.length;
-    const filtered = blocks
-        .map((b) => ({
-        ...b,
-        hooks: b.hooks?.filter((h) => !h[HOOK_MARKER]),
-    }))
-        .filter((b) => (b.hooks?.length ?? 0) > 0);
-    if (filtered.length === before && filtered.every((b, i) => b.hooks?.length === blocks[i]?.hooks?.length)) {
+    let touched = false;
+    const stripChannel = (channel) => {
+        const blocks = settings.hooks?.[channel];
+        if (!blocks?.length)
+            return;
+        const beforeCounts = blocks.map((b) => b.hooks?.length ?? 0);
+        const filtered = blocks
+            .map((b) => ({ ...b, hooks: b.hooks?.filter((h) => !h[HOOK_MARKER]) }))
+            .filter((b) => (b.hooks?.length ?? 0) > 0);
+        const lengthChanged = filtered.length !== blocks.length;
+        const innerChanged = !lengthChanged &&
+            filtered.some((b, i) => (b.hooks?.length ?? 0) !== beforeCounts[i]);
+        if (!lengthChanged && !innerChanged)
+            return;
+        touched = true;
+        if (settings.hooks) {
+            settings.hooks[channel] = filtered.length ? filtered : undefined;
+            if (!filtered.length)
+                delete settings.hooks[channel];
+        }
+    };
+    stripChannel('PostToolUse');
+    stripChannel('UserPromptSubmit');
+    if (!touched)
         return { removed: false, settingsPath: SETTINGS_PATH };
-    }
-    if (settings.hooks) {
-        settings.hooks.PostToolUse = filtered;
-        if (!filtered.length)
-            delete settings.hooks.PostToolUse;
-        if (Object.keys(settings.hooks).length === 0)
-            delete settings.hooks;
+    if (settings.hooks && Object.keys(settings.hooks).length === 0) {
+        delete settings.hooks;
     }
     await writeSettings(settings);
     return { removed: true, settingsPath: SETTINGS_PATH };

package/dist/lib/telemetry-buffer.js

@@ -0,0 +1,131 @@
+import { appendFile, mkdir, readFile, stat, unlink, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { CONFIG } from './config.js';
+/**
+ * Offline telemetry buffer.
+ *
+ * When the PostToolUse hook fires while the user is logged out (no
+ * credentials in ~/.prave/credentials.json), the Skill invocation would
+ * otherwise be lost — the hook can't reach the API. Instead we append
+ * the event as one JSON line to `~/.prave/telemetry-queue.jsonl` and
+ * replay the whole file the next time the user logs in (or runs any
+ * command that hits the API while authenticated).
+ *
+ * Each line is the exact payload the live hook would have POSTed to
+ * `/api/v1/intelligence/usage/by-slug`, so replay is "send each line
+ * through the same endpoint". Server-side dedup (per-minute bucket
+ * keyed by `skill_metadata_id + agent_type`) makes the flush idempotent
+ * — a flush that crashes mid-way can re-run with no double-counting.
+ *
+ * The queue file is hard-capped at 5000 events (~600 KB of JSONL).
+ * Beyond that we drop the oldest line per fire — telemetry is best-
+ * effort, never something that should grow unbounded on disk.
+ */
+export const TELEMETRY_QUEUE_FILE = join(CONFIG.praveDir, 'telemetry-queue.jsonl');
+const MAX_QUEUE_LINES = 5_000;
+const QUEUE_ROTATE_AT_BYTES = 1_000_000; // 1 MB safety stop
+/**
+ * Append one event to the queue. Best-effort: any FS failure is
+ * swallowed because the hook MUST NOT throw — failing telemetry can
+ * never break the user's editor.
+ */
+export async function bufferEvent(event) {
+    try {
+        await mkdir(CONFIG.praveDir, { recursive: true });
+        // Rotate before append if the file got too big. We keep the
+        // newest half — recent telemetry is more valuable than ancient
+        // backlog the user probably doesn't care about anymore.
+        const info = await stat(TELEMETRY_QUEUE_FILE).catch(() => null);
+        if (info && info.size > QUEUE_ROTATE_AT_BYTES) {
+            const raw = await readFile(TELEMETRY_QUEUE_FILE, 'utf8').catch(() => '');
+            const lines = raw.split('\n').filter(Boolean);
+            if (lines.length > MAX_QUEUE_LINES) {
+                const trimmed = lines.slice(-Math.floor(MAX_QUEUE_LINES / 2));
+                await writeFile(TELEMETRY_QUEUE_FILE, trimmed.join('\n') + '\n', 'utf8');
+            }
+        }
+        await appendFile(TELEMETRY_QUEUE_FILE, JSON.stringify(event) + '\n', 'utf8');
+    }
+    catch {
+        /* swallow — telemetry is best-effort */
+    }
+}
+/**
+ * Read the queue. Returns parsed events plus the raw line count so
+ * callers can report "N events synced". Skips malformed lines silently
+ * — a single corrupt write must not kill an entire replay.
+ */
+async function readQueue() {
+    const raw = await readFile(TELEMETRY_QUEUE_FILE, 'utf8').catch(() => null);
+    if (!raw)
+        return [];
+    const out = [];
+    for (const line of raw.split('\n')) {
+        const t = line.trim();
+        if (!t)
+            continue;
+        try {
+            const parsed = JSON.parse(t);
+            if (parsed.slug && parsed.triggered_at)
+                out.push(parsed);
+        }
+        catch {
+            /* skip malformed */
+        }
+    }
+    return out;
+}
+/**
+ * Replay the queue against the by-slug endpoint and delete the file on
+ * full success. Caller passes the already-authenticated POST helper so
+ * we don't introduce a circular dep on api.ts.
+ *
+ * On partial failure (network blip mid-flush), the remaining events
+ * are rewritten so a later attempt picks up where we left off. Order
+ * is preserved across rewrites.
+ */
+export async function flushBuffered(postBySlug) {
+    const events = await readQueue();
+    if (!events.length)
+        return { sent: 0, failed: 0, total: 0 };
+    let sent = 0;
+    const remaining = [];
+    for (let i = 0; i < events.length; i++) {
+        const ev = events[i];
+        if (!ev)
+            continue;
+        try {
+            await postBySlug({ ...ev, source: 'buffered' });
+            sent += 1;
+        }
+        catch {
+            // Keep this one and every event after it for the next attempt.
+            // We don't push-and-continue because a network blip likely means
+            // every subsequent POST will fail too — better to stop fast.
+            remaining.push(...events.slice(i));
+            break;
+        }
+    }
+    if (remaining.length === 0) {
+        await unlink(TELEMETRY_QUEUE_FILE).catch(() => { });
+    }
+    else {
+        await writeFile(TELEMETRY_QUEUE_FILE, remaining.map((e) => JSON.stringify(e)).join('\n') + '\n', 'utf8').catch(() => { });
+    }
+    return { sent, failed: remaining.length, total: events.length };
+}
+/**
+ * Cheap "is there anything to flush?" check — used by login/whoami to
+ * decide whether to print the "syncing pending telemetry" line at all.
+ * Returns 0 when the file doesn't exist OR is empty.
+ */
+export async function pendingTelemetryCount() {
+    const raw = await readFile(TELEMETRY_QUEUE_FILE, 'utf8').catch(() => null);
+    if (!raw)
+        return 0;
+    let n = 0;
+    for (const line of raw.split('\n'))
+        if (line.trim())
+            n += 1;
+    return n;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/cli",
-  "version": "1.2.0",
+  "version": "1.2.2",
   "description": "Prave CLI — discover, install, version, test, and ship Claude Skills. The developer platform for the complete Skill lifecycle.",
   "type": "module",
   "keywords": [
@@ -26,14 +26,14 @@
   "homepage": "https://prave.app",
   "bugs": {
     "url": "https://github.com/eppstudio/prave/issues",
-    "email": "info@epplab-studio.de"
+    "email": "hello@epplab-studio.de"
   },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/eppstudio/prave.git",
     "directory": "apps/cli"
   },
-  "author": "EppLab Studio <info@epplab-studio.de> (https://epplab-studio.de)",
+  "author": "EppLab Studio <hello@epplab-studio.de> (https://epplab-studio.de)",
   "license": "MIT",
   "engines": {
     "node": ">=18"
@@ -51,7 +51,7 @@
     "open": "^10.1.0",
     "ora": "^8.0.1",
     "undici": "^6.18.0",
-    "@prave/shared": "1.2.0"
+    "@prave/shared": "1.2.2"
   },
   "devDependencies": {
     "@types/node": "^20.12.7",