@prave/cli 1.4.6 → 1.4.7

package/dist/index.js

@@ -15,7 +15,6 @@ import { mcpInstallCommand } from './commands/mcp-install.js';
 import { mcpServerCommand } from './commands/mcp-server.js';
 import { optimizeCommand } from './commands/optimize.js';
 import { overviewCommand } from './commands/overview.js';
-import { runDeployCommand, runListCommand, runLogsCommand, runTriggerCommand, } from './commands/run.js';
 import { searchCommand } from './commands/search.js';
 import { settingsCommand } from './commands/settings.js';
 import { syncCommand } from './commands/sync.js';
@@ -40,7 +39,6 @@ const program = new Command()
     '    prave login          # device-code auth in your browser',
     '    prave search <q>     # discover community skills',
     '    prave install <slug> # pull into ~/.claude/skills/ (multi-agent prompt included)',
-    '    prave run deploy     # bundle cwd, schedule on Prave\'s sandbox',
     '    prave usage hook install   # real-time invocation tracking',
     '',
     '  Docs:    https://prave.app/docs',
@@ -151,30 +149,6 @@ program
     .command('docs [slug]')
     .description('Open the docs in your browser. Bare `prave docs` lands on the home page; `prave docs cli/run` or `prave docs web/runs` jumps straight to a section.')
     .action((slug) => docsCommand(slug));
-// ─── prave run — scheduled server-side executions (Runs) ──────────
-const run = program
-    .command('run')
-    .description('Schedule a skill to fire on a cron, executed by your chosen AI agent on Prave\'s sandbox. Bring the whole project — SKILL.md, scripts, .env.');
-run
-    .command('deploy [path]')
-    .description('Bundle the current directory (or `path`), upload it to Prave, and open the browser wizard to pick the schedule + agent.')
-    .action((path) => runDeployCommand(path));
-run
-    .command('update <slug> [path]')
-    .description("Re-upload the bundle for an existing run. Same flow as `deploy`, but the run's schedule, agent and env vars stay intact — only the project files swap.")
-    .action((slug, path) => runDeployCommand(path, { updateRunSlug: slug }));
-run
-    .command('list')
-    .description('List your scheduled runs with next-fire time + last status.')
-    .action(runListCommand);
-run
-    .command('logs <slug>')
-    .description('Print the latest execution log for a scheduled run.')
-    .action(runLogsCommand);
-run
-    .command('trigger <slug>')
-    .description('Fire a one-shot execution outside the cron schedule. Refused with 409 if another execution is already in flight. Tail with `prave run logs <slug>` afterwards.')
-    .action(runTriggerCommand);
 program
     .command('mcp install')
     .alias('mcp-install')
@@ -219,16 +193,9 @@ program
         'Settings',
         '  prave settings                     # configure agents + paths',
         '',
-        'Runs (scheduled cron on Prave)',
-        '  prave run deploy                   # bundle cwd, upload, open wizard',
-        '  prave run update <slug>            # re-upload bundle for an existing run',
-        '  prave run trigger <slug>           # fire one execution outside the cron',
-        '  prave run list                     # your scheduled runs',
-        '  prave run logs <slug>              # tail latest execution log',
-        '',
         'Docs',
         '  prave docs                         # open the docs in your browser',
-        '  prave docs <slug>                  # jump to a section, e.g. cli/run',
+        '  prave docs <slug>                  # jump to a section',
         '',
         'Telemetry',
         '  PRAVE_TELEMETRY=0                  # opt out of CLI usage analytics',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/cli",
-  "version": "1.4.6",
+  "version": "1.4.7",
   "description": "Prave CLI — discover, install, version, test, and ship Claude Skills. The developer platform for the complete Skill lifecycle.",
   "type": "module",
   "keywords": [
@@ -54,7 +54,7 @@
     "ora": "^8.0.1",
     "tar": "^7.4.3",
     "undici": "^6.18.0",
-    "@prave/shared": "1.4.6"
+    "@prave/shared": "1.4.7"
   },
   "devDependencies": {
     "@types/node": "^20.12.7",

package/dist/commands/run.js

@@ -1,481 +0,0 @@
-import { readdir, readFile, stat } from 'node:fs/promises';
-import { resolve, relative, basename, sep } from 'node:path';
-import { createInterface } from 'node:readline/promises';
-import { Buffer } from 'node:buffer';
-import chalk from 'chalk';
-import open from 'open';
-import ora from 'ora';
-import * as tar from 'tar';
-import { request } from 'undici';
-import { isLikelyTextPath, scanForSecrets, } from '@prave/shared';
-import { api, ApiError } from '../lib/api.js';
-import { CONFIG } from '../lib/config.js';
-import { loadCredentials, requireAuth } from '../lib/credentials.js';
-import { log } from '../utils/logger.js';
-/**
- * `prave run` — scheduled server-side skill executions on Prave's
- * infrastructure.
- *
- *   prave run deploy [path]       # bundle dir → upload → open wizard
- *   prave run list                # list my deployed runs
- *   prave run logs <slug>         # tail the most recent execution logs
- *
- * `deploy` is the headline action — the rest just expose the same data
- * the dashboard already shows. The wizard handles schedule + agent
- * selection in the browser because picking from an agent dropdown
- * filtered to "which API keys do I have" is way clearer in a UI than
- * an interactive prompt.
- */
-// Sane-default ignore list for `tar.create` — none of these belong in
-// a deployable bundle and dragging them up adds noise to the scan +
-// bloats storage.
-const TAR_IGNORE = new Set([
-    '.git',
-    '.github',
-    '.next',
-    '.turbo',
-    '.svelte-kit',
-    '.cache',
-    'node_modules',
-    'dist',
-    'build',
-    'coverage',
-    '.venv',
-    'venv',
-    '__pycache__',
-    '.DS_Store',
-]);
-const MAX_BUNDLE_BYTES = 20 * 1024 * 1024; // matches API + Supabase Storage cap
-const MAX_FILES = 200;
-export async function runDeployCommand(pathArg, options = {}) {
-    const isUpdate = Boolean(options.updateRunSlug);
-    const root = resolve(pathArg ?? process.cwd());
-    const rootStat = await stat(root).catch(() => null);
-    if (!rootStat?.isDirectory()) {
-        log.error(`Not a directory: ${root}`);
-        process.exit(1);
-    }
-    // Sanity check — the dir should *look* like a skill project. We don't
-    // hard-reject; we just warn if there's no SKILL.md anywhere.
-    const skillMd = await findSkillMd(root);
-    if (!skillMd) {
-        log.warn('No SKILL.md found in this directory. Deploys still work without it, but the runner will not have skill-shaped context for the agent.');
-    }
-    const creds0 = await requireAuth('prave run');
-    if (!creds0)
-        return;
-    // 1a. Look for .env / .env.production / .env.local etc. The scanner
-    // would otherwise hard-reject them on the upload. Offer to lift the
-    // values out of the bundle and pass them to the wizard so they end
-    // up encrypted on the run row instead of in the tarball.
-    const envFiles = await findEnvFiles(root);
-    let envVars = {};
-    const stripPaths = new Set();
-    if (envFiles.length > 0) {
-        const totalKeys = envFiles.reduce((n, f) => n + Object.keys(f.values).length, 0);
-        console.log();
-        console.log(chalk.bold(`Found ${envFiles.length} env file${envFiles.length === 1 ? '' : 's'} with ${totalKeys} variable${totalKeys === 1 ? '' : 's'}:`));
-        for (const f of envFiles) {
-            console.log(`  ${chalk.cyan('•')} ${f.path}  ${chalk.dim(`(${Object.keys(f.values).length} keys)`)}`);
-        }
-        console.log(chalk.dim('\nIf you continue, Prave strips these from the upload and passes the\n' +
-            'values to the browser wizard. They get AES-256-GCM-encrypted onto\n' +
-            'the run, decrypted only inside the sandbox at run-time.\n' +
-            'Decline to abort so you can clean up first.'));
-        const yes = await confirmYesNo('Strip & pass env vars to the wizard?');
-        if (!yes) {
-            log.error('Aborted. Remove the .env file(s) (or rename to .env.example) and re-run.');
-            process.exit(1);
-        }
-        for (const f of envFiles) {
-            stripPaths.add(f.path);
-            Object.assign(envVars, f.values);
-        }
-    }
-    // 1b. Local secret-scan BEFORE we ship anything. Cheap defence in
-    // depth — even though the API scans again, surfacing the finding
-    // pre-upload saves the user a round-trip and avoids briefly storing
-    // a secret-bearing tarball in our bucket. The env files we just
-    // accepted to lift out are excluded from the scan.
-    const localFindings = await preflightScan(root, stripPaths);
-    if (localFindings.length > 0) {
-        log.error('Bundle contains files that look like secrets:');
-        for (const f of localFindings.slice(0, 10)) {
-            console.error(`  ${chalk.red('•')} ${f.rule}  ${chalk.dim(f.path)}${f.line ? `:${f.line}` : ''}`);
-        }
-        console.error(chalk.dim('\nRemove these files (or scrub the values) and re-run.\n' +
-            'For env vars, ship a .env.example template instead — Prave\n' +
-            'will prompt you for the real values during the wizard.'));
-        process.exit(1);
-    }
-    // 2. Mint the deploy session. Update flows tag the session with
-    // the existing run's slug so the upload handler swaps that run's
-    // bundle pointer instead of creating a fresh row.
-    const initSpinner = ora(isUpdate ? `Opening update session for ${options.updateRunSlug}…` : 'Opening deploy session…').start();
-    let session;
-    try {
-        const initPath = isUpdate
-            ? `/api/v1/deploy/init?run_slug=${encodeURIComponent(options.updateRunSlug)}`
-            : '/api/v1/deploy/init';
-        const { data } = await api.post(initPath, {}, true);
-        session = data.session;
-        initSpinner.succeed('Session opened');
-    }
-    catch (err) {
-        initSpinner.fail(`Could not open deploy session: ${err.message}`);
-        process.exit(1);
-    }
-    // 2b. Ship env vars to the wizard before the upload so they're
-    // waiting when the browser opens. The wizard reads them once via
-    // /deploy/status and pre-fills its env-vars step.
-    if (Object.keys(envVars).length > 0) {
-        const envSpinner = ora('Sending env vars to the wizard…').start();
-        try {
-            await api.post(`/api/v1/deploy/env?session=${encodeURIComponent(session.session_id)}`, { env_vars: envVars }, true);
-            envSpinner.succeed(`Passed ${Object.keys(envVars).length} env var(s)`);
-        }
-        catch (err) {
-            envSpinner.fail(`Could not ship env vars: ${err.message}`);
-            process.exit(1);
-        }
-    }
-    // 3. Pack the directory into a gzipped tar in memory. tar.create's
-    // `cwd` option is critical — paths inside the archive must be
-    // RELATIVE to the project root, not absolute. Stripped paths are
-    // env files we already shipped via /deploy/env above.
-    const packSpinner = ora('Bundling project…').start();
-    let tarball;
-    try {
-        tarball = await packDirectory(root, stripPaths);
-        packSpinner.succeed(`Bundled ${formatBytes(tarball.length)}`);
-    }
-    catch (err) {
-        packSpinner.fail(`Bundle failed: ${err.message}`);
-        process.exit(1);
-    }
-    if (tarball.length > MAX_BUNDLE_BYTES) {
-        log.error(`Bundle is ${formatBytes(tarball.length)}, cap is ${formatBytes(MAX_BUNDLE_BYTES)}. ` +
-            'Add large files to .gitignore-style noise (or place them in node_modules / .git which we already skip).');
-        process.exit(1);
-    }
-    // 4. Stream the tarball to /deploy/upload. We use undici directly
-    // because api.ts only does JSON.
-    const uploadSpinner = ora('Uploading to Prave…').start();
-    const creds = await loadCredentials();
-    if (!creds) {
-        uploadSpinner.fail('Credentials expired mid-flight — please re-login.');
-        process.exit(1);
-    }
-    const uploadUrl = `${CONFIG.apiUrl}/api/v1/deploy/upload?session=${encodeURIComponent(session.session_id)}`;
-    try {
-        const { statusCode, body } = await request(uploadUrl, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/gzip',
-                Authorization: `Bearer ${creds.access_token}`,
-            },
-            body: tarball,
-        });
-        const text = await body.text();
-        if (statusCode >= 400) {
-            const parsed = safeJson(text);
-            const msg = parsed?.error ?? `HTTP ${statusCode}`;
-            uploadSpinner.fail(`Upload rejected: ${msg}`);
-            process.exit(1);
-        }
-        uploadSpinner.succeed('Upload complete');
-        // Update flow: the server already swapped the run's bundle
-        // pointer. No wizard, no browser open — just confirm + exit.
-        const parsed = safeJson(text);
-        if (isUpdate || parsed?.updated_run_slug) {
-            console.log();
-            console.log(chalk.bold(`Updated ${parsed?.updated_run_slug ?? options.updateRunSlug}.`));
-            console.log(chalk.dim('  Next scheduled fire will use the freshly-uploaded bundle.\n' +
-                '  Open the dashboard:'));
-            console.log(chalk.cyan('  ' + session.wizard_url));
-            return;
-        }
-    }
-    catch (err) {
-        uploadSpinner.fail(`Upload failed: ${err.message}`);
-        process.exit(1);
-    }
-    // 5. New-run flow: open the browser at the wizard.
-    console.log();
-    console.log(chalk.bold('Finish in the browser:'));
-    console.log(chalk.cyan('  ' + session.wizard_url));
-    try {
-        await open(session.wizard_url);
-    }
-    catch {
-        /* user can copy the URL manually */
-    }
-}
-export async function runListCommand() {
-    if (!(await requireAuth('prave run list')))
-        return;
-    const spinner = ora('Fetching runs…').start();
-    try {
-        const { data } = await api.get('/api/v1/runs', true);
-        spinner.stop();
-        if (!data.runs.length) {
-            console.log(chalk.dim('No runs yet. `prave run deploy` to schedule your first one.'));
-            return;
-        }
-        for (const r of data.runs) {
-            const nextRun = r.next_run_at
-                ? new Date(r.next_run_at).toLocaleString()
-                : chalk.dim('paused');
-            const status = r.status === 'active'
-                ? chalk.green('active')
-                : r.status === 'paused'
-                    ? chalk.yellow('paused')
-                    : chalk.red(r.status);
-            console.log(`  ${chalk.bold(r.name)}  ${chalk.dim(r.slug)}\n` +
-                `    ${chalk.dim(`agent=${r.agent}  schedule=${r.schedule_kind}  status=${status}  next=${nextRun}`)}`);
-        }
-    }
-    catch (err) {
-        spinner.fail(err.message);
-        process.exit(err instanceof ApiError ? 1 : 1);
-    }
-}
-export async function runLogsCommand(slug) {
-    if (!(await requireAuth('prave run logs')))
-        return;
-    const spinner = ora(`Fetching logs for ${slug}…`).start();
-    try {
-        const { data } = await api.get(`/api/v1/runs/${encodeURIComponent(slug)}/executions?limit=10`, true);
-        spinner.stop();
-        if (!data.executions.length) {
-            console.log(chalk.dim('No executions yet. The first one will appear after the next scheduled fire.'));
-            return;
-        }
-        const latest = data.executions[0];
-        const status = latest.status === 'success'
-            ? chalk.green(latest.status)
-            : latest.status === 'running'
-                ? chalk.cyan(latest.status)
-                : chalk.red(latest.status);
-        console.log(`${chalk.bold(slug)}  ${chalk.dim(latest.started_at)}  ${status}` +
-            (latest.duration_ms !== null ? chalk.dim(`  (${latest.duration_ms}ms)`) : ''));
-        console.log();
-        console.log(latest.log_text ?? chalk.dim('(no log captured)'));
-        if (latest.error_message) {
-            console.log();
-            console.log(chalk.red('Error: ') + latest.error_message);
-        }
-    }
-    catch (err) {
-        spinner.fail(err.message);
-        process.exit(1);
-    }
-}
-// ── helpers ──────────────────────────────────────────────────────────
-async function findSkillMd(root) {
-    // Top-level only — most skill projects ship SKILL.md at the root.
-    // Deeper search would be wasted work for the warning we'd print.
-    try {
-        const entries = await readdir(root);
-        return entries.find((n) => n.toLowerCase() === 'skill.md') ?? null;
-    }
-    catch {
-        return null;
-    }
-}
-async function preflightScan(root, stripPaths = new Set()) {
-    const inputs = [];
-    let files = 0;
-    let bytes = 0;
-    const visit = async (dir) => {
-        if (files >= MAX_FILES)
-            return;
-        if (bytes >= MAX_BUNDLE_BYTES)
-            return;
-        const entries = await readdir(dir, { withFileTypes: true }).catch(() => []);
-        for (const entry of entries) {
-            if (TAR_IGNORE.has(entry.name))
-                continue;
-            if (entry.name.startsWith('._'))
-                continue;
-            const abs = `${dir}${sep}${entry.name}`;
-            if (entry.isDirectory()) {
-                await visit(abs);
-                continue;
-            }
-            if (!entry.isFile())
-                continue;
-            const rel = relative(root, abs).split(sep).join('/');
-            // The user already accepted to lift this env file out of the
-            // bundle in the previous step. Don't scan it (we know it has
-            // secrets — that's why we're lifting it).
-            if (stripPaths.has(rel))
-                continue;
-            files++;
-            if (!isLikelyTextPath(rel)) {
-                inputs.push({ path: rel });
-                continue;
-            }
-            try {
-                const content = await readFile(abs, 'utf8');
-                bytes += content.length;
-                inputs.push({ path: rel, content });
-            }
-            catch {
-                inputs.push({ path: rel });
-            }
-        }
-    };
-    await visit(root);
-    return scanForSecrets(inputs).findings;
-}
-async function packDirectory(root, stripPaths = new Set()) {
-    // Top-level entries only — tar.create resolves them against `cwd`.
-    const entries = (await readdir(root)).filter((n) => !TAR_IGNORE.has(n));
-    if (entries.length === 0) {
-        throw new Error('Project directory is empty.');
-    }
-    // Normalise the strip-set against tar.create's relative-path format
-    // (POSIX forward slashes, no leading "./"). Paths sit one level
-    // beneath the archive's basename prefix, so we compare on the
-    // input-side relative path tar.create hands us.
-    const stripNormalised = new Set([...stripPaths].map((p) => p.replace(/\\/g, '/').replace(/^\.\//, '')));
-    const stream = tar.create({
-        gzip: true,
-        cwd: root,
-        portable: true,
-        // Prefix all paths with the project's basename so the runner
-        // gets a `<project>/SKILL.md` shape, not a flat dump at the
-        // archive root.
-        prefix: basename(root),
-        filter: (path) => {
-            const norm = path.replace(/\\/g, '/').replace(/^\.\//, '');
-            return !stripNormalised.has(norm);
-        },
-    }, entries);
-    const chunks = [];
-    for await (const chunk of stream) {
-        chunks.push(Buffer.from(chunk));
-    }
-    return Buffer.concat(chunks);
-}
-/**
- * Look for common `.env*` files at the project root. We don't scan
- * deeper than top-level — a nested `.env` is almost certainly a
- * shipping example, not the real secrets file. Returns an empty list
- * when nothing's found.
- */
-async function findEnvFiles(root) {
-    const entries = await readdir(root, { withFileTypes: true }).catch(() => []);
-    const findings = [];
-    for (const entry of entries) {
-        if (!entry.isFile())
-            continue;
-        const name = entry.name;
-        if (!isRealEnvFile(name))
-            continue;
-        try {
-            const raw = await readFile(`${root}${sep}${name}`, 'utf8');
-            const values = parseDotenv(raw);
-            if (Object.keys(values).length === 0)
-                continue;
-            findings.push({ path: name, values });
-        }
-        catch {
-            /* unreadable — skip */
-        }
-    }
-    return findings;
-}
-/**
- * `.env`, `.env.local`, `.env.production`, `.env.development`, `.envrc`
- * count as "real env files". Templates (`.env.example`, `.env.sample`,
- * `.env.template`) are explicitly NOT lifted — those are meant to be
- * shipped.
- */
-function isRealEnvFile(name) {
-    if (name === '.env' || name === '.envrc')
-        return true;
-    if (!name.startsWith('.env.'))
-        return false;
-    const suffix = name.slice('.env.'.length);
-    if (/^(example|sample|template)$/i.test(suffix))
-        return false;
-    return true;
-}
-function parseDotenv(text) {
-    const out = {};
-    for (const raw of text.split('\n')) {
-        const line = raw.trim();
-        if (!line || line.startsWith('#'))
-            continue;
-        const eq = line.indexOf('=');
-        if (eq <= 0)
-            continue;
-        const key = line.slice(0, eq).trim();
-        let value = line.slice(eq + 1).trim();
-        if ((value.startsWith('"') && value.endsWith('"')) ||
-            (value.startsWith("'") && value.endsWith("'"))) {
-            value = value.slice(1, -1);
-        }
-        if (/^[A-Za-z_][A-Za-z0-9_]*$/.test(key))
-            out[key] = value;
-    }
-    return out;
-}
-async function confirmYesNo(question) {
-    // Non-interactive shells (pipes, CI) can't prompt — default to "no"
-    // so we never silently ship secrets in a script.
-    if (!process.stdout.isTTY || !process.stdin.isTTY)
-        return false;
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    try {
-        const answer = (await rl.question(`${question} [Y/n] `)).trim().toLowerCase();
-        return answer === '' || answer === 'y' || answer === 'yes';
-    }
-    finally {
-        rl.close();
-    }
-}
-function formatBytes(n) {
-    if (n < 1024)
-        return `${n}B`;
-    if (n < 1024 * 1024)
-        return `${(n / 1024).toFixed(1)}KB`;
-    return `${(n / 1024 / 1024).toFixed(2)}MB`;
-}
-function safeJson(text) {
-    try {
-        return JSON.parse(text);
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * `prave run trigger <slug>` — fire a single ad-hoc execution outside
- * the cron schedule. Refused with 409 when another execution is in
- * flight (same single-flight guard the dashboard's "Run now" button
- * uses). Returns immediately after enqueueing — tail with
- * `prave run logs <slug>` after a few seconds.
- */
-export async function runTriggerCommand(slug) {
-    if (!(await requireAuth('prave run trigger')))
-        return;
-    const spinner = ora(`Triggering ${slug}…`).start();
-    try {
-        await api.post(`/api/v1/runs/${encodeURIComponent(slug)}/trigger`, undefined, true);
-        spinner.succeed(`Triggered ${chalk.bold(slug)} — log will appear in a few seconds.`);
-        console.log(chalk.dim(`  Tail it with `) +
-            chalk.cyan(`prave run logs ${slug}`) +
-            chalk.dim(` (or watch the dashboard).`));
-    }
-    catch (err) {
-        if (err instanceof ApiError && err.status === 409) {
-            spinner.warn(`An execution is already in flight for ${slug} — wait for it to finish, then re-run.`);
-            return;
-        }
-        spinner.fail(err.message);
-        process.exit(1);
-    }
-}