@prave/cli 1.4.1 → 1.4.3

package/dist/commands/deploy.js

@@ -1,3 +1,13 @@
+/**
+ * Multi-agent fan-out helper.
+ *
+ * This module used to back a public `prave deploy <skill>` command, but
+ * shipping that as a top-level CLI surface only duplicated what
+ * `prave install` already prompts for ("Deploy to all configured agents?
+ * [y/N]"). The standalone command was removed; `deployCommand` lives on
+ * as an internal helper that `install.ts` and `sync.ts` import to do
+ * the actual fan-out + Cursor `.mdc` rewrite.
+ */
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
 import { homedir } from 'node:os';
 import { join } from 'node:path';

package/dist/commands/mcp-server.js

@@ -118,8 +118,16 @@ async function handleSearch(args) {
     if (args.category)
         params.set('category', args.category);
     params.set('limit', String(Math.min(20, Math.max(1, args.limit ?? 10))));
+    // The API's GET /skills returns a flat array as `data` (the
+    // controller calls `res.json(ok(skills))` with skills being
+    // `SkillSearchHit[]`). An earlier version of this MCP handler
+    // wrapped the response in `{items}` which is the shape the wizard
+    // uses, but never the public list endpoint — that mismatch silently
+    // turned every search into "No Skills matched" because `data.items`
+    // was always undefined. Normalise both shapes to stay forward-
+    // compatible with future API shifts.
     const { data } = await api.get(`/api/v1/skills?${params.toString()}`, true);
-    const items = data.items ?? [];
+    const items = Array.isArray(data) ? data : (data?.items ?? []);
     const lines = items.map((s) => `• ${s.name} (${s.slug}) — ${s.description ?? 'no description'} · ↓${s.install_count}`);
     return mcpText(lines.length
         ? `Found ${lines.length} Skill${lines.length === 1 ? '' : 's'}:\n\n${lines.join('\n')}`
@@ -139,8 +147,11 @@ async function handleWhatdoes(args) {
         .join('\n'));
 }
 async function handleMySkills() {
+    // Same shape gotcha as handleSearch — /me/skills also returns a flat
+    // array via `ok(skills)` where skills is `SkillSearchHit[]`. Normalise
+    // both shapes so a future server-side refactor doesn't break the tool.
     const { data } = await api.get('/api/v1/me/skills', true);
-    const items = data.items ?? [];
+    const items = Array.isArray(data) ? data : (data?.items ?? []);
     if (items.length === 0) {
         return mcpText('You haven\'t installed or authored any Skills yet. Try `prave_search_skills` to browse the catalogue.');
     }

package/dist/commands/run.js

@@ -1,5 +1,6 @@
 import { readdir, readFile, stat } from 'node:fs/promises';
 import { resolve, relative, basename, sep } from 'node:path';
+import { createInterface } from 'node:readline/promises';
 import { Buffer } from 'node:buffer';
 import chalk from 'chalk';
 import open from 'open';
@@ -46,7 +47,8 @@ const TAR_IGNORE = new Set([
 ]);
 const MAX_BUNDLE_BYTES = 20 * 1024 * 1024; // matches API + Supabase Storage cap
 const MAX_FILES = 200;
-export async function runDeployCommand(pathArg) {
+export async function runDeployCommand(pathArg, options = {}) {
+    const isUpdate = Boolean(options.updateRunSlug);
     const root = resolve(pathArg ?? process.cwd());
     const rootStat = await stat(root).catch(() => null);
     if (!rootStat?.isDirectory()) {
@@ -62,11 +64,40 @@ export async function runDeployCommand(pathArg) {
     const creds0 = await requireAuth('prave run');
     if (!creds0)
         return;
-    // 1. Local secret-scan BEFORE we ship anything. Cheap defence in
+    // 1a. Look for .env / .env.production / .env.local etc. The scanner
+    // would otherwise hard-reject them on the upload. Offer to lift the
+    // values out of the bundle and pass them to the wizard so they end
+    // up encrypted on the run row instead of in the tarball.
+    const envFiles = await findEnvFiles(root);
+    let envVars = {};
+    const stripPaths = new Set();
+    if (envFiles.length > 0) {
+        const totalKeys = envFiles.reduce((n, f) => n + Object.keys(f.values).length, 0);
+        console.log();
+        console.log(chalk.bold(`Found ${envFiles.length} env file${envFiles.length === 1 ? '' : 's'} with ${totalKeys} variable${totalKeys === 1 ? '' : 's'}:`));
+        for (const f of envFiles) {
+            console.log(`  ${chalk.cyan('•')} ${f.path}  ${chalk.dim(`(${Object.keys(f.values).length} keys)`)}`);
+        }
+        console.log(chalk.dim('\nIf you continue, Prave strips these from the upload and passes the\n' +
+            'values to the browser wizard. They get AES-256-GCM-encrypted onto\n' +
+            'the run, decrypted only inside the sandbox at run-time.\n' +
+            'Decline to abort so you can clean up first.'));
+        const yes = await confirmYesNo('Strip & pass env vars to the wizard?');
+        if (!yes) {
+            log.error('Aborted. Remove the .env file(s) (or rename to .env.example) and re-run.');
+            process.exit(1);
+        }
+        for (const f of envFiles) {
+            stripPaths.add(f.path);
+            Object.assign(envVars, f.values);
+        }
+    }
+    // 1b. Local secret-scan BEFORE we ship anything. Cheap defence in
     // depth — even though the API scans again, surfacing the finding
     // pre-upload saves the user a round-trip and avoids briefly storing
-    // a secret-bearing tarball in our bucket.
-    const localFindings = await preflightScan(root);
+    // a secret-bearing tarball in our bucket. The env files we just
+    // accepted to lift out are excluded from the scan.
+    const localFindings = await preflightScan(root, stripPaths);
     if (localFindings.length > 0) {
         log.error('Bundle contains files that look like secrets:');
         for (const f of localFindings.slice(0, 10)) {
@@ -77,11 +108,16 @@ export async function runDeployCommand(pathArg) {
             'will prompt you for the real values during the wizard.'));
         process.exit(1);
     }
-    // 2. Mint the deploy session
-    const initSpinner = ora('Opening deploy session…').start();
+    // 2. Mint the deploy session. Update flows tag the session with
+    // the existing run's slug so the upload handler swaps that run's
+    // bundle pointer instead of creating a fresh row.
+    const initSpinner = ora(isUpdate ? `Opening update session for ${options.updateRunSlug}…` : 'Opening deploy session…').start();
     let session;
     try {
-        const { data } = await api.post('/api/v1/deploy/init', {}, true);
+        const initPath = isUpdate
+            ? `/api/v1/deploy/init?run_slug=${encodeURIComponent(options.updateRunSlug)}`
+            : '/api/v1/deploy/init';
+        const { data } = await api.post(initPath, {}, true);
         session = data.session;
         initSpinner.succeed('Session opened');
     }
@@ -89,13 +125,28 @@ export async function runDeployCommand(pathArg) {
         initSpinner.fail(`Could not open deploy session: ${err.message}`);
         process.exit(1);
     }
+    // 2b. Ship env vars to the wizard before the upload so they're
+    // waiting when the browser opens. The wizard reads them once via
+    // /deploy/status and pre-fills its env-vars step.
+    if (Object.keys(envVars).length > 0) {
+        const envSpinner = ora('Sending env vars to the wizard…').start();
+        try {
+            await api.post(`/api/v1/deploy/env?session=${encodeURIComponent(session.session_id)}`, { env_vars: envVars }, true);
+            envSpinner.succeed(`Passed ${Object.keys(envVars).length} env var(s)`);
+        }
+        catch (err) {
+            envSpinner.fail(`Could not ship env vars: ${err.message}`);
+            process.exit(1);
+        }
+    }
     // 3. Pack the directory into a gzipped tar in memory. tar.create's
     // `cwd` option is critical — paths inside the archive must be
-    // RELATIVE to the project root, not absolute.
+    // RELATIVE to the project root, not absolute. Stripped paths are
+    // env files we already shipped via /deploy/env above.
     const packSpinner = ora('Bundling project…').start();
     let tarball;
     try {
-        tarball = await packDirectory(root);
+        tarball = await packDirectory(root, stripPaths);
         packSpinner.succeed(`Bundled ${formatBytes(tarball.length)}`);
     }
     catch (err) {
@@ -133,12 +184,23 @@ export async function runDeployCommand(pathArg) {
             process.exit(1);
         }
         uploadSpinner.succeed('Upload complete');
+        // Update flow: the server already swapped the run's bundle
+        // pointer. No wizard, no browser open — just confirm + exit.
+        const parsed = safeJson(text);
+        if (isUpdate || parsed?.updated_run_slug) {
+            console.log();
+            console.log(chalk.bold(`Updated ${parsed?.updated_run_slug ?? options.updateRunSlug}.`));
+            console.log(chalk.dim('  Next scheduled fire will use the freshly-uploaded bundle.\n' +
+                '  Open the dashboard:'));
+            console.log(chalk.cyan('  ' + session.wizard_url));
+            return;
+        }
     }
     catch (err) {
         uploadSpinner.fail(`Upload failed: ${err.message}`);
         process.exit(1);
     }
-    // 5. Open the browser at the wizard
+    // 5. New-run flow: open the browser at the wizard.
     console.log();
     console.log(chalk.bold('Finish in the browser:'));
     console.log(chalk.cyan('  ' + session.wizard_url));
@@ -221,7 +283,7 @@ async function findSkillMd(root) {
         return null;
     }
 }
-async function preflightScan(root) {
+async function preflightScan(root, stripPaths = new Set()) {
     const inputs = [];
     let files = 0;
     let bytes = 0;
@@ -243,8 +305,13 @@ async function preflightScan(root) {
             }
             if (!entry.isFile())
                 continue;
-            files++;
             const rel = relative(root, abs).split(sep).join('/');
+            // The user already accepted to lift this env file out of the
+            // bundle in the previous step. Don't scan it (we know it has
+            // secrets — that's why we're lifting it).
+            if (stripPaths.has(rel))
+                continue;
+            files++;
             if (!isLikelyTextPath(rel)) {
                 inputs.push({ path: rel });
                 continue;
@@ -262,12 +329,17 @@ async function preflightScan(root) {
     await visit(root);
     return scanForSecrets(inputs).findings;
 }
-async function packDirectory(root) {
+async function packDirectory(root, stripPaths = new Set()) {
     // Top-level entries only — tar.create resolves them against `cwd`.
     const entries = (await readdir(root)).filter((n) => !TAR_IGNORE.has(n));
     if (entries.length === 0) {
         throw new Error('Project directory is empty.');
     }
+    // Normalise the strip-set against tar.create's relative-path format
+    // (POSIX forward slashes, no leading "./"). Paths sit one level
+    // beneath the archive's basename prefix, so we compare on the
+    // input-side relative path tar.create hands us.
+    const stripNormalised = new Set([...stripPaths].map((p) => p.replace(/\\/g, '/').replace(/^\.\//, '')));
     const stream = tar.create({
         gzip: true,
         cwd: root,
@@ -276,7 +348,10 @@ async function packDirectory(root) {
         // gets a `<project>/SKILL.md` shape, not a flat dump at the
         // archive root.
         prefix: basename(root),
-        filter: (_path) => true,
+        filter: (path) => {
+            const norm = path.replace(/\\/g, '/').replace(/^\.\//, '');
+            return !stripNormalised.has(norm);
+        },
     }, entries);
     const chunks = [];
     for await (const chunk of stream) {
@@ -284,6 +359,84 @@ async function packDirectory(root) {
     }
     return Buffer.concat(chunks);
 }
+/**
+ * Look for common `.env*` files at the project root. We don't scan
+ * deeper than top-level — a nested `.env` is almost certainly a
+ * shipping example, not the real secrets file. Returns an empty list
+ * when nothing's found.
+ */
+async function findEnvFiles(root) {
+    const entries = await readdir(root, { withFileTypes: true }).catch(() => []);
+    const findings = [];
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const name = entry.name;
+        if (!isRealEnvFile(name))
+            continue;
+        try {
+            const raw = await readFile(`${root}${sep}${name}`, 'utf8');
+            const values = parseDotenv(raw);
+            if (Object.keys(values).length === 0)
+                continue;
+            findings.push({ path: name, values });
+        }
+        catch {
+            /* unreadable — skip */
+        }
+    }
+    return findings;
+}
+/**
+ * `.env`, `.env.local`, `.env.production`, `.env.development`, `.envrc`
+ * count as "real env files". Templates (`.env.example`, `.env.sample`,
+ * `.env.template`) are explicitly NOT lifted — those are meant to be
+ * shipped.
+ */
+function isRealEnvFile(name) {
+    if (name === '.env' || name === '.envrc')
+        return true;
+    if (!name.startsWith('.env.'))
+        return false;
+    const suffix = name.slice('.env.'.length);
+    if (/^(example|sample|template)$/i.test(suffix))
+        return false;
+    return true;
+}
+function parseDotenv(text) {
+    const out = {};
+    for (const raw of text.split('\n')) {
+        const line = raw.trim();
+        if (!line || line.startsWith('#'))
+            continue;
+        const eq = line.indexOf('=');
+        if (eq <= 0)
+            continue;
+        const key = line.slice(0, eq).trim();
+        let value = line.slice(eq + 1).trim();
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (/^[A-Za-z_][A-Za-z0-9_]*$/.test(key))
+            out[key] = value;
+    }
+    return out;
+}
+async function confirmYesNo(question) {
+    // Non-interactive shells (pipes, CI) can't prompt — default to "no"
+    // so we never silently ship secrets in a script.
+    if (!process.stdout.isTTY || !process.stdin.isTTY)
+        return false;
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const answer = (await rl.question(`${question} [Y/n] `)).trim().toLowerCase();
+        return answer === '' || answer === 'y' || answer === 'yes';
+    }
+    finally {
+        rl.close();
+    }
+}
 function formatBytes(n) {
     if (n < 1024)
         return `${n}B`;

package/dist/index.js

@@ -4,10 +4,8 @@ import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { Command } from 'commander';
 import { conflictsCommand } from './commands/conflicts.js';
-import { deployCommand } from './commands/deploy.js';
 import { diffCommand } from './commands/diff.js';
 import { docsCommand } from './commands/docs.js';
-import { exportCommand } from './commands/export.js';
 import { importCommand } from './commands/import.js';
 import { installCommand } from './commands/install.js';
 import { listCommand } from './commands/list.js';
@@ -23,7 +21,7 @@ import { settingsCommand } from './commands/settings.js';
 import { syncCommand } from './commands/sync.js';
 import { uninstallCommand } from './commands/uninstall.js';
 import { updateCommand } from './commands/update.js';
-import { usageHookInstallCommand, usageHookUninstallCommand, usageReportCommand, usageScanCommand, usageStatusCommand, } from './commands/usage.js';
+import { usageHookInstallCommand, usageHookUninstallCommand, usageReportCommand, } from './commands/usage.js';
 import { whatdoesCommand } from './commands/whatdoes.js';
 import { whoamiCommand } from './commands/whoami.js';
 import { initAnalytics } from './lib/analytics.js';
@@ -36,12 +34,13 @@ const program = new Command()
     'Prave — Developer platform for Claude Skills.',
     '',
     '  Lifecycle: discover · install · author · sync · audit · ship.',
-    '  Targets ~/.claude/skills/ by default; multi-agent via `prave deploy`.',
+    '  Targets ~/.claude/skills/ by default; multi-agent fan-out happens at install time.',
     '',
     '  Quick start:',
     '    prave login          # device-code auth in your browser',
     '    prave search <q>     # discover community skills',
-    '    prave install <slug> # pull into ~/.claude/skills/',
+    '    prave install <slug> # pull into ~/.claude/skills/ (multi-agent prompt included)',
+    '    prave run deploy     # bundle cwd, schedule on Prave\'s sandbox',
     '    prave usage hook install   # real-time invocation tracking',
     '',
     '  Docs:    https://prave.app/docs',
@@ -97,11 +96,6 @@ program
     .option('--heavy', 'narrow to Skills above the heavy-tier threshold (>5k estimated tokens)')
     .action(listCommand);
 program.command('search <query>').description('Search public Skills').action(searchCommand);
-program
-    .command('export <slug>')
-    .description('Print or save a Skill\'s SKILL.md without installing')
-    .option('-o, --out <file>', 'write to file instead of stdout')
-    .action(exportCommand);
 program
     .command('diff <slug>')
     .description('Show local vs registry diff for an installed Skill')
@@ -135,16 +129,6 @@ program
 const usage = program
     .command('usage')
     .description('Track which Skills you actually use (powers the optimiser)');
-usage
-    .command('scan')
-    .description('Scan local Claude Code transcripts and report invocations to Prave')
-    .option('--since <window>', 'override the watermark, e.g. "7d" or "12h"')
-    .option('--quiet', 'log a one-liner instead of a spinner')
-    .action(usageScanCommand);
-usage
-    .command('status')
-    .description('Diagnose hook health, recent event counts, and most-used Skills')
-    .action(usageStatusCommand);
 usage
     .command('report')
     .description('Internal: invoked by the Claude Code PostToolUse / UserPromptSubmit hook (reads stdin)')
@@ -159,12 +143,6 @@ hook
     .command('uninstall')
     .description('Remove the Prave-managed hook from ~/.claude/settings.json')
     .action(usageHookUninstallCommand);
-program
-    .command('deploy <skillname>')
-    .description('Deploy a Skill to every configured agent (Claude Code, Codex, Cursor, Gemini, Cline, Amp). Free plan deploys to Claude Code only; Pro and Max deploy across all six. The skill must already exist locally — use `prave install` first or point to a SKILL.md folder.')
-    .option('--agent <agent>', 'restrict deploy to a single agent (claude-code | codex | cursor | gemini | cline | amp)')
-    .option('--dry-run', 'log every destination path but write nothing — preview before committing')
-    .action(deployCommand);
 program
     .command('mcp-server')
     .description('Run the Prave MCP server over stdio. Wire into Claude Desktop / Cursor MCP / Continue.dev via { "command": "npx", "args": ["-y", "@prave/cli", "mcp-server"] }. Exposes search, install, audit, my-skills, whatdoes as MCP tools.')
@@ -181,6 +159,10 @@ run
     .command('deploy [path]')
     .description('Bundle the current directory (or `path`), upload it to Prave, and open the browser wizard to pick the schedule + agent.')
     .action((path) => runDeployCommand(path));
+run
+    .command('update <slug> [path]')
+    .description("Re-upload the bundle for an existing run. Same flow as `deploy`, but the run's schedule, agent and env vars stay intact — only the project files swap.")
+    .action((slug, path) => runDeployCommand(path, { updateRunSlug: slug }));
 run
     .command('list')
     .description('List your scheduled runs with next-fire time + last status.')
@@ -209,14 +191,12 @@ program
         '',
         'Discover & install',
         '  prave search <q>                   # public skill search',
-        '  prave install <slug> [--no-deps]   # install into ~/.claude/skills/',
+        '  prave install <slug> [--no-deps]   # install into ~/.claude/skills/ (multi-agent prompt included)',
         '  prave uninstall <slug>             # remove a local skill',
         '  prave list [--remote] [--verbose]  # what is installed (or remote)',
-        '  prave export <slug> -o file.md     # dump SKILL.md without installing',
         '',
         'Authoring & sync',
         '  prave import [--upload --public]   # publish ~/.claude/skills/ to Prave',
-        '  prave deploy <skill> [--agent x]   # mirror to other agents',
         '  prave sync                         # pull every installed update',
         '  prave update [slug] [--dry-run]    # diff + pull outdated skills',
         '  prave diff <slug>                  # local vs registry diff',
@@ -231,8 +211,6 @@ program
         'Usage tracking (Pro+)',
         '  prave usage hook install           # real-time PostToolUse hook',
         '  prave usage hook uninstall',
-        '  prave usage scan [--since 7d]      # transcript scanner',
-        '  prave usage status                 # hook health + recent counts',
         '',
         'Settings',
         '  prave settings                     # configure agents + paths',

package/dist/lib/api.js

@@ -15,39 +15,68 @@ export class ApiError extends Error {
  * Supabase rate limiter.
  */
 let refreshing = null;
+/** One HTTP round-trip to /cli/refresh — returns null on any non-200. */
+async function callRefresh(refresh_token) {
+    try {
+        const { statusCode, body } = await request(`${CONFIG.apiUrl}/api/v1/cli/refresh`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ refresh_token }),
+        });
+        const text = await body.text();
+        if (statusCode !== 200)
+            return null;
+        const payload = JSON.parse(text);
+        if (!payload.success || !payload.data)
+            return null;
+        return payload.data;
+    }
+    catch {
+        return null;
+    }
+}
 async function refreshTokens() {
     if (refreshing)
         return refreshing;
     refreshing = (async () => {
-        const creds = await loadCredentials();
-        if (!creds?.refresh_token)
+        const initial = await loadCredentials();
+        if (!initial?.refresh_token)
             return null;
-        try {
-            const { statusCode, body } = await request(`${CONFIG.apiUrl}/api/v1/cli/refresh`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ refresh_token: creds.refresh_token }),
-            });
-            const text = await body.text();
-            if (statusCode !== 200)
-                return null;
-            const payload = JSON.parse(text);
-            if (!payload.success || !payload.data)
-                return null;
-            const next = {
-                ...creds,
-                access_token: payload.data.access_token,
-                refresh_token: payload.data.refresh_token ?? creds.refresh_token,
-                user_id: payload.data.user_id,
-                // Persist the new expiry so the next call's proactive check works.
-                expires_at: payload.data.expires_at ?? undefined,
-            };
-            await saveCredentials(next);
-            return next;
+        // First attempt: refresh with whatever's on disk right now.
+        let result = await callRefresh(initial.refresh_token);
+        let creds = initial;
+        // Supabase rotates the refresh_token on every successful refresh, so
+        // the old one is invalidated immediately. Two CLI processes can race
+        // here: the PostToolUse hook fires in the background while a
+        // foreground `prave whoami` (or anything else) is also alive. Each
+        // is its own Node process; the single-flight `refreshing` Promise
+        // only de-dupes within one process.
+        //
+        // When that race happens, the loser's stored refresh_token is now
+        // the already-used (and rejected) one. Re-read credentials.json
+        // once — if the file has moved on (another process wrote newer
+        // tokens), retry with the fresh refresh_token before giving up.
+        if (!result) {
+            const fresh = await loadCredentials();
+            if (fresh?.refresh_token &&
+                fresh.refresh_token !== initial.refresh_token) {
+                result = await callRefresh(fresh.refresh_token);
+                if (result)
+                    creds = fresh;
+            }
         }
-        catch {
+        if (!result)
             return null;
-        }
+        const next = {
+            ...creds,
+            access_token: result.access_token,
+            refresh_token: result.refresh_token ?? creds.refresh_token,
+            user_id: result.user_id,
+            // Persist the new expiry so the next call's proactive check works.
+            expires_at: result.expires_at ?? undefined,
+        };
+        await saveCredentials(next);
+        return next;
     })();
     try {
         return await refreshing;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/cli",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "Prave CLI — discover, install, version, test, and ship Claude Skills. The developer platform for the complete Skill lifecycle.",
   "type": "module",
   "keywords": [
@@ -54,7 +54,7 @@
     "ora": "^8.0.1",
     "tar": "^7.4.3",
     "undici": "^6.18.0",
-    "@prave/shared": "1.4.1"
+    "@prave/shared": "1.4.3"
   },
   "devDependencies": {
     "@types/node": "^20.12.7",
@@ -71,6 +71,6 @@
     "build": "tsc -p tsconfig.json && node scripts/inject-config.mjs",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "lint": "tsc -p tsconfig.json --noEmit",
-    "postinstall": "node scripts/postinstall.mjs"
+    "postinstall": "node scripts/postinstall.mjs || true"
   }
 }

package/dist/commands/export.js

@@ -1,35 +0,0 @@
-import { writeFile } from 'node:fs/promises';
-import { api } from '../lib/api.js';
-import { loadCredentials } from '../lib/credentials.js';
-import { fetchMyPlan, formatUpgradeHint } from '../lib/plan.js';
-import { log } from '../utils/logger.js';
-/**
- * `prave export <slug>` — print or save a Skill's SKILL.md to disk
- * without touching ~/.claude/skills/. Useful for CI pipelines that want
- * to bundle Skills into other repos.
- */
-export async function exportCommand(slug, opts = {}) {
-    const session = await loadCredentials();
-    // Plan gate: export is part of the Pro+ authoring toolkit. Free can browse
-    // and install, not extract for republishing.
-    if (session) {
-        const me = await fetchMyPlan();
-        if (!me.limits.can_authoring_public && !me.limits.can_authoring_private) {
-            log.warn('Export requires the Pro plan or higher.');
-            log.dim(formatUpgradeHint('explorer'));
-            return;
-        }
-    }
-    const { data: skill } = await api.get(`/api/v1/skills/${encodeURIComponent(slug)}`, Boolean(session));
-    const content = skill.content ?? '';
-    if (!content.trim()) {
-        log.warn(`${slug} has no content`);
-        return;
-    }
-    if (opts.out) {
-        await writeFile(opts.out, content, 'utf8');
-        log.success(`Wrote ${opts.out} (${content.length} bytes)`);
-        return;
-    }
-    process.stdout.write(content);
-}