@prave/cli 1.4.10 → 1.4.12

package/dist/index.js

@@ -25,6 +25,7 @@ import { whatdoesCommand } from './commands/whatdoes.js';
 import { whoamiCommand } from './commands/whoami.js';
 import { initAnalytics } from './lib/analytics.js';
 import { captureAuthSnapshot, nudgeFirstRun } from './lib/nudge.js';
+import { maybeCheckForUpdate } from './lib/update-check.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
 initAnalytics(pkg.version);
@@ -217,6 +218,19 @@ program.hook('preAction', async () => {
         /* never block the command on nudge bookkeeping */
     }
 });
+// Once-a-day npm update check. Most invocations short-circuit on the
+// 24-hour throttle stored in ~/.prave/config.json; when the throttle
+// has elapsed, a short fetch to the npm registry compares versions
+// and prints a one-line upgrade hint at the end of the command. Hard
+// 2-second timeout so a slow registry can never block the user.
+program.hook('postAction', async () => {
+    try {
+        await maybeCheckForUpdate(pkg.version);
+    }
+    catch {
+        /* nudges + update checks are decorative — never block on them */
+    }
+});
 // Global first-run banner. Fires once on the user's very first command
 // regardless of which one it was — catches commands that don't have a
 // per-action nudge wired in (e.g. `prave docs`, `prave conflicts`).

package/dist/lib/credentials.js

@@ -1,14 +1,39 @@
-import { chmod, mkdir, readFile, unlink, writeFile } from 'node:fs/promises';
+import { chmod, mkdir, readFile, rename, unlink, writeFile } from 'node:fs/promises';
 import { dirname } from 'node:path';
 import { CONFIG } from './config.js';
+/**
+ * Persist credentials atomically.
+ *
+ * The PostToolUse hook fires once per tool call, so two concurrent CLI
+ * processes refreshing the access token at the same second is the
+ * common case, not the edge. A plain `writeFile` then leaves the file
+ * in a partial / interleaved state for the brief window the bytes are
+ * being flushed — a concurrent `loadCredentials` reads that partial
+ * blob, `JSON.parse` throws, the catch swallows it and returns null,
+ * and the user is silently treated as logged out for every subsequent
+ * hook fire until they manually run `prave login` again.
+ *
+ * Writing to a sibling temp file and renaming over the target is
+ * atomic on POSIX (rename(2)) so readers either see the previous
+ * complete file or the new complete file — never a half-written one.
+ */
 export async function saveCredentials(creds) {
-    await mkdir(dirname(CONFIG.credentialsPath), { recursive: true });
-    await writeFile(CONFIG.credentialsPath, JSON.stringify(creds, null, 2), 'utf8');
-    await chmod(CONFIG.credentialsPath, 0o600);
+    const target = CONFIG.credentialsPath;
+    await mkdir(dirname(target), { recursive: true });
+    // Per-process tmp suffix so two parallel writers don't stomp each
+    // other's tmp file — the OS still serialises the final rename.
+    const tmp = `${target}.${process.pid}.${Date.now()}.tmp`;
+    await writeFile(tmp, JSON.stringify(creds, null, 2), 'utf8');
+    await chmod(tmp, 0o600);
+    await rename(tmp, target);
 }
 export async function loadCredentials() {
     try {
         const raw = await readFile(CONFIG.credentialsPath, 'utf8');
+        // Belt + suspenders: even with atomic writes, a credentials file
+        // can land truncated if a previous CLI version was killed mid-write
+        // or the FS had a power loss. Treat unparseable content as logged
+        // out instead of crashing — the next `prave login` repairs it.
         return JSON.parse(raw);
     }
     catch {

package/dist/lib/update-check.js

@@ -0,0 +1,129 @@
+import chalk from 'chalk';
+import { readLocalConfig, writeLocalConfigPatch } from './local-config.js';
+/**
+ * Once-a-day npm update check.
+ *
+ * A real "first command in a fresh terminal session" hook would need
+ * shell integration we don't ship. The user-visible behaviour is
+ * identical with a 24-hour timestamp throttle: the first `prave <cmd>`
+ * the user runs on any given day reaches out to npm, compares versions,
+ * and prints a one-line dim hint if a newer release exists. Subsequent
+ * commands inside the same window skip the network round-trip entirely.
+ *
+ * Rules:
+ *   • Hard cap on round-trip time (2 s). A slow npm registry must NEVER
+ *     block the user's command. The promise is fire-and-forget from the
+ *     caller's perspective — we always return cleanly.
+ *   • Skipped when stdout isn't a TTY (pipes, CI), or when
+ *     PRAVE_QUIET=1 / PRAVE_TELEMETRY=0 is set.
+ *   • The check itself runs through `node fetch` so we don't take a
+ *     dependency on a specific HTTP client (the CLI's `api.ts` is
+ *     auth-aware and overkill for a public, unauthenticated GET).
+ *   • Persists `last_update_check` (unix ms) in ~/.prave/config.json
+ *     regardless of outcome — a network blip is treated like a clean
+ *     "you're up to date" so we don't re-spam npm every command after
+ *     a failure.
+ */
+const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const REQUEST_TIMEOUT_MS = 2_000;
+const NPM_PACKAGE = '@prave/cli';
+/**
+ * Returns true if the throttle has elapsed and we should hit npm now.
+ * Reads-and-writes the config so concurrent invocations from the same
+ * shell don't double-fire (last-write-wins is fine here).
+ */
+async function dueForCheck() {
+    const cfg = await readLocalConfig();
+    const last = typeof cfg.last_update_check === 'number' ? cfg.last_update_check : 0;
+    return Date.now() - last >= CHECK_INTERVAL_MS;
+}
+/**
+ * SemVer-ish comparator. Returns:
+ *   < 0  if a < b
+ *   0    if equal
+ *   > 0  if a > b
+ *
+ * Tolerates pre-release tails (`1.4.9-rc.1`) by lexicographically
+ * comparing them when the numeric tuples tie. Sufficient for the
+ * "newer is available" hint; we don't ship a strict semver library.
+ */
+function compareVersions(a, b) {
+    const [aNum, aPre = ''] = a.split('-', 2);
+    const [bNum, bPre = ''] = b.split('-', 2);
+    const aParts = aNum.split('.').map((n) => parseInt(n, 10));
+    const bParts = bNum.split('.').map((n) => parseInt(n, 10));
+    const length = Math.max(aParts.length, bParts.length);
+    for (let i = 0; i < length; i++) {
+        const x = aParts[i] ?? 0;
+        const y = bParts[i] ?? 0;
+        if (Number.isNaN(x) || Number.isNaN(y))
+            return 0; // unparseable → treat as equal
+        if (x !== y)
+            return x - y;
+    }
+    // Numeric tuples equal — a release version > any pre-release of the
+    // same number ("1.4.9" > "1.4.9-rc.1"), and pre-releases sort by
+    // lexicographic order ("1.4.9-rc.1" < "1.4.9-rc.2").
+    if (aPre === bPre)
+        return 0;
+    if (!aPre)
+        return 1;
+    if (!bPre)
+        return -1;
+    return aPre < bPre ? -1 : 1;
+}
+async function fetchLatestVersion() {
+    // npm's registry returns the latest version in dist-tags without
+    // requiring an unauthenticated header; this is the same endpoint
+    // `npm view @prave/cli version` hits.
+    const url = `https://registry.npmjs.org/-/package/${encodeURIComponent(NPM_PACKAGE)}/dist-tags`;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), REQUEST_TIMEOUT_MS);
+    try {
+        const res = await fetch(url, { signal: ctrl.signal });
+        if (!res.ok)
+            return null;
+        const json = (await res.json());
+        return typeof json.latest === 'string' ? json.latest : null;
+    }
+    catch {
+        // Aborted, offline, registry down, JSON broken — treat as "no update".
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+function printUpgradeNotice(current, latest) {
+    const rule = chalk.dim('─'.repeat(60));
+    console.log();
+    console.log(rule);
+    console.log(`${chalk.yellow('↑')}  ${chalk.bold('Prave CLI update available')}  ` +
+        `${chalk.dim(current)} ${chalk.dim('→')} ${chalk.green(latest)}`);
+    console.log(chalk.dim(`   Run  npm install -g ${NPM_PACKAGE}@latest`));
+    console.log(rule);
+}
+/**
+ * Public entry. Cheap to call: most invocations short-circuit on the
+ * throttle and don't touch the network. Caller is expected to `await`
+ * but the promise resolves quickly in the steady state.
+ */
+export async function maybeCheckForUpdate(currentVersion) {
+    if (!process.stdout.isTTY)
+        return;
+    if (process.env.PRAVE_QUIET === '1')
+        return;
+    if (process.env.PRAVE_TELEMETRY === '0')
+        return;
+    if (!(await dueForCheck()))
+        return;
+    // Record the attempt up-front so a network hang doesn't cause us to
+    // re-fire on every subsequent command before this one resolves.
+    await writeLocalConfigPatch({ last_update_check: Date.now() });
+    const latest = await fetchLatestVersion();
+    if (!latest)
+        return;
+    if (compareVersions(latest, currentVersion) <= 0)
+        return;
+    printUpgradeNotice(currentVersion, latest);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/cli",
-  "version": "1.4.10",
+  "version": "1.4.12",
   "description": "Prave CLI — discover, install, version, test, and ship Claude Skills. The developer platform for the complete Skill lifecycle.",
   "type": "module",
   "keywords": [
@@ -54,7 +54,7 @@
     "ora": "^8.0.1",
     "tar": "^7.4.3",
     "undici": "^6.18.0",
-    "@prave/shared": "1.4.10"
+    "@prave/shared": "1.4.12"
   },
   "devDependencies": {
     "@types/node": "^20.12.7",
@@ -71,6 +71,6 @@
     "build": "tsc -p tsconfig.json && node scripts/inject-config.mjs",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "lint": "tsc -p tsconfig.json --noEmit",
-    "postinstall": "node scripts/postinstall.mjs || true"
+    "postinstall": "test -f scripts/postinstall.mjs && node scripts/postinstall.mjs || true"
   }
 }