@prave/cli 1.4.8 → 1.4.9

package/dist/commands/install.js

@@ -89,14 +89,26 @@ export async function installCommand(slug, opts = {}) {
         process.exitCode = 1;
         return;
     }
-    // Best-effort analyze pass on the freshly written files.
+    // Best-effort analyze pass on the freshly written files. Silently
+    // catching all errors here used to hide a real failure mode: when the
+    // user's CLI token had expired, every analyze call returned 401, the
+    // install ledger filled up, but skill_metadata stayed empty — so the
+    // web dashboard rendered honest zeros and looked broken. We still
+    // don't bail on transient errors (the install itself succeeded), but
+    // we DO surface auth failures once so the user knows to re-login.
+    let authWarned = false;
     for (const s of installedSlugs) {
         const path = join(CONFIG.skillsDir, s, 'SKILL.md');
         try {
             const content = await readFile(path, 'utf8');
             await api
                 .post('/api/v1/intelligence/analyze', { content, file_path: path, agent_type: 'claude' }, true)
-                .catch(() => { });
+                .catch((err) => {
+                if (!authWarned && err instanceof ApiError && err.status === 401) {
+                    authWarned = true;
+                    log.warn('Your CLI session expired — Skill intelligence will be out of sync until you run `prave login`.');
+                }
+            });
         }
         catch {
             /* file unreadable — skip */

package/dist/index.js

@@ -24,7 +24,7 @@ import { usageHookInstallCommand, usageHookUninstallCommand, usageReportCommand,
 import { whatdoesCommand } from './commands/whatdoes.js';
 import { whoamiCommand } from './commands/whoami.js';
 import { initAnalytics } from './lib/analytics.js';
-import { nudgeFirstRun } from './lib/nudge.js';
+import { captureAuthSnapshot, nudgeFirstRun } from './lib/nudge.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(resolve(__dirname, '..', 'package.json'), 'utf8'));
 initAnalytics(pkg.version);
@@ -204,6 +204,19 @@ program
         'Docs:   https://prave.app/docs',
     ].join('\n'));
 });
+// Capture auth state BEFORE the command runs. Critical for the
+// first-run welcome banner — if the user's very first command is
+// `prave login`, the postAction hook fires AFTER credentials are
+// saved, so a live auth check would read "signed in" and suppress
+// the welcome. The preAction snapshot freezes the pre-command state.
+program.hook('preAction', async () => {
+    try {
+        await captureAuthSnapshot();
+    }
+    catch {
+        /* never block the command on nudge bookkeeping */
+    }
+});
 // Global first-run banner. Fires once on the user's very first command
 // regardless of which one it was — catches commands that don't have a
 // per-action nudge wired in (e.g. `prave docs`, `prave conflicts`).

package/dist/lib/nudge.js

@@ -4,6 +4,23 @@ import { CONFIG } from './config.js';
 import { loadCredentials } from './credentials.js';
 import { isAlwaysShow, NUDGE_FIRST_RUN, nudgeFor, } from './nudge-constants.js';
 let alreadyNudged = false;
+/**
+ * Auth snapshot captured at command START, used at command END.
+ *
+ * Without this, `prave login` (very common first-ever command) traps
+ * us: the postAction hook fires AFTER credentials are saved, so the
+ * auth check inside canNudge() reads "signed in" → first-run banner
+ * suppressed → `first_run: false` written → user never sees the
+ * welcome message on any future command. The snapshot freezes the
+ * pre-command auth state so the first-run welcome still fires for a
+ * user whose very first command is the login itself.
+ */
+let wasAnonymousAtStart = null;
+export async function captureAuthSnapshot() {
+    if (wasAnonymousAtStart !== null)
+        return;
+    wasAnonymousAtStart = !(await isAuthenticated());
+}
 /* --------------------------------------------------------------------- */
 /*  Auth + state helpers                                                  */
 /* --------------------------------------------------------------------- */
@@ -101,11 +118,28 @@ async function canNudge() {
  * (no nudge_count yet AND first_run not yet set to false). Always strong,
  * always bypasses the throttle.
  *
+ * Uses the START-of-command auth snapshot, not live state. That way the
+ * banner still appears when the user's very first command is `prave
+ * login` itself — login completes, the postAction hook fires, and we
+ * still know they came in anonymous so the welcome is appropriate.
+ *
  * Returns true when shown — call sites use this to skip the regular nudge
  * on the same turn so we don't double-print.
  */
 export async function nudgeFirstRun() {
-    if (!(await canNudge()))
+    if (alreadyNudged)
+        return false;
+    if (!process.stdout.isTTY)
+        return false;
+    if (process.env.PRAVE_QUIET === '1')
+        return false;
+    if (process.env.PRAVE_TELEMETRY === '0')
+        return false;
+    // Honour the auth-at-start snapshot. If the user opened the session
+    // already authenticated, the welcome conversion banner doesn't fit —
+    // they don't need a "create free account" pitch.
+    const startedAnon = wasAnonymousAtStart ?? !(await isAuthenticated());
+    if (!startedAnon)
         return false;
     const cfg = await readConfig();
     // first_run defaults to "yes, show it" unless we've already flipped

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prave/cli",
-  "version": "1.4.8",
+  "version": "1.4.9",
   "description": "Prave CLI — discover, install, version, test, and ship Claude Skills. The developer platform for the complete Skill lifecycle.",
   "type": "module",
   "keywords": [
@@ -54,7 +54,7 @@
     "ora": "^8.0.1",
     "tar": "^7.4.3",
     "undici": "^6.18.0",
-    "@prave/shared": "1.4.8"
+    "@prave/shared": "1.4.9"
   },
   "devDependencies": {
     "@types/node": "^20.12.7",